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graph.  The  goal  of  cryptography  is  to  design  a  communication  system  over  a  nonsecure 
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Boolean  functions  (BF).  Accordingly,  we  can  represent  a  cryptographic  Boolean  function 
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CHAPTER  1: 

Introduction 


Cryptography  is  often  a  word  that  the  mainstream  population  associates  with  code  break¬ 
ing  or  secret  military  intelligence  work  performed  in  an  underground  bunker — this  thinking 
no  doubt  promoted  with  movies  such  as  The  Da  Vinci  Code,  Enigma,  and  National  Trea¬ 
sure.  While  there  is  perhaps  a  part  of  these  stereotypes  involved,  cryptography  is  much 
more  than  this.  The  mathematics  behind  cryptography  are  what  keep  many  of  our  daily 
communications  secure,  i.e.,  safe  enough  from  prying  eyes. 

Graph  theory  is  an  even  more  abstract  concept  for  most  people.  The  word  graph  typi¬ 
cally  generates  a  mental  image  so  ancient  that  most  people  would  rather  not  return  to  mid¬ 
dle  school  algebra  class,  where  basic  functions  were  plotted  on  a  two-dimensional  plane. 
Graph  theory,  however,  is  an  emerging  field  that  studies  relationships  between  objects  from 
a  mathematical  perspective. 

1.1  Motivation 

The  motivation  for  this  thesis  came  from  a  desire  to  connect  two  prominent  areas  of  discrete 
mathematics — cryptography  and  graph  theory.  The  two  specific  areas  linked  in  this  work 
are  the  Data  Encryption  Standard  (DES)  and  spectral  graph  theory.  DES  has  been  analyzed 
extensively  since  its  inception  in  the  1970s,  mainly  in  its  weaknesses  for  the  purpose  of 
breaking  the  cipher  and  improving  future  algorithms.  Some  of  the  prominent  researchers 
of  DES  include  Carlisle  Adams,  Eli  Biham,  Ernest  Brickell  et  ah,  Don  Coppersmith,  Marc 
Davio,  Martin  Heilman,  Mitsuru  Matsui,  Adi  Shamir,  and  Stafford  Tavares,  just  to  name 
a  few.  On  the  other  hand,  spectral  graph  theory  arose  circa  the  same  timeframe  as  the 
DES,  with  the  intent  of  deducing  properties  of  a  graph  from  the  spectra  of  its  associated 
matrices.  By  this,  we  mean  that  a  graph  can  be  represented  by  a  matrix,  whose  eigenvalues 
and  eigenvectors  can  be  analyzed  to  determine  information  about  the  graph. 

Within  cryptography,  the  author  was  particularly  motivated  by  the  works  of  Claude  Carlet, 
Thomas  Cusick,  and  Pantelimon  Stanica,  who  continue  to  solidify  the  role  of  Boolean  func¬ 
tions  (BEs)  in  cryptography.  While  BEs  have  their  place  in  logic  and  circuit  design,  their 
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use  in  cryptography  continues  to  be  a  topic  of  relevance.  Within  spectral  graph  theory,  the 
classic  references  are  written  by  Norman  Biggs,  Dragos  Cvetkovic  et  ah,  and  Fan  Chung. 
The  more  recent  work  by  Stanley  Florkowski  [1],  however,  was  particularly  influential  in 
directing  the  author’s  focus  to  something  tangible  rather  than  theoretical. 

A  BF  has  a  graphical  representation,  known  as  a  Cayley  graph,  that  can  be  analyzed  in 
terms  of  its  spectrum.  The  term  spectrum  will  become  clearer  in  Chapters  4  and  5,  but  note 
that  a  BF  has  a  representation  in  terms  of  a  type  of  spectrum  and  a  graph  also  has  a  spectral 
representation  by  its  eigenvalues.  Anna  Bernasconi  and  Bruno  Codenotti  linked  these  two 
spectra  with  their  discovery  that  a  relation  exists  between  the  Walsh  spectrum  of  a  BF  and 
the  spectrum  of  its  associated  Cayley  graph. 

Through  this  point,  no  one  has  attempted  to  analyze  the  DBS  in  terms  of  Cayley  graph 
spectra.  Some  have  analyzed  the  aspects  of  BFs  and  their  use  in  block  ciphers  such  as 
DBS,  but  no  one  has  converted  all  eight  substitution  boxes  (S-Box)  in  DBS  to  a  set  of  BBs 
and  analyzed  the  spectra  of  their  corresponding  Cayley  graph  adjacency  matrices. 

1.2  Research  Questions 

DBS  is  a  block  cipher  utilizing  a  substitution  step  via  the  aforementioned  boxes.  These 
boxes  form  the  nonlinear  part  of  the  algorithm  and  thus  contribute  to  the  overall  security  of 
the  cipher.  With  this  in  mind,  we  aim  to  explore  the  following  questions: 

1.  What  are  the  BB  representations  of  the  DBS  S-Boxes? 

2.  What  are  the  cryptographic  properties  of  these  BBs? 

3.  What  properties  of  the  associated  Cayley  graphs  can  be  deduced  from  spectral  graph 
theoretic  techniques? 

4.  Is  there  a  relationship  between  the  Cayley  graph  spectra  and  the  cryptographic  prop¬ 
erties  of  the  associated  BBs? 

5.  Do  the  DBS  S-Box  BBs  satisfy  the  propagation  criteria  (PC)  of  degree  k? 

1.3  Thesis  Organization 

Through  the  process  of  investigating  the  research  questions,  this  thesis  is  organized  in  the 
following  manner: 
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•  Chapter  2  discusses  the  necessary  background  in  algebra  and  number  theory. 

•  Chapter  3  reviews  basic  concepts  of  cryptography  and  also  discusses  the  organization 
of  DBS. 

•  Chapter  4  discusses  BFs  and  their  application  in  cryptography. 

•  Chapter  5  reviews  graph  theory  terminology  and  introduces  spectral  graph  theory. 

•  Chapter  6  examines  the  DBS  S-Boxes  as  BBs  and  their  associated  Cayley  graphs. 

•  Chapter  7  extends  the  notion  of  propagation  criteria  to  the  DBS  BBs. 

•  Chapter  8  summarizes  the  results  of  this  thesis  and  includes  areas  for  future  work. 
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CHAPTER  2: 

Preliminaries  on  Algebra  and  Number  Theory 


This  introductory  chapter  and  the  several  that  follow  establish  the  foundation  upon  which 
the  mathematics  presented  in  this  thesis  depend.  The  algebra  presented  here  goes  beyond 
our  usual  idea  of  arithmetic,  in  that  we  consider  familiar  operations  and  sets  on  an  ab¬ 
stract  level.  This  chapter  is  by  no  means  all-inclusive  and  the  interested  reader  should 
consult  some  of  the  more  classic  texts  on  abstract  algebra  by  John  Fraleigh  [2]  and  Thomas 
Hungerford  [3]. 

2.1  Number  Theory 

Number  theory  is  primarily  the  study  of  the  set  of  integers  and  their  properties  [4].  These 
topics  essentially  bridge  the  gap  between  basic  arithmetic  and  advanced  algebra.  The  defi¬ 
nitions  presented  in  this  section  are  taken  from  [3]. 

2.1.1  Divisibility 

A  set  is  an  unordered  collection  of  objects.  We  assume  that  the  reader  is  familiar  with  some 
basic  mathematical  sets  of  numbers  as  follows: 


N  =  {0,1,2,3,...,} 

Z  =  {...,-2,-l,0,l,2,...,} 

Q= 


Definition  2.1.1.  Let  a,b  eZ  with  a^O.  Then  a  divides  b,  or  a  is  a  divisor  of  b,  or  Z?  is  a 
multiple  of  a  if  b  =  ak  for  some  integer  k.  We  denote  this  hy  a\b. 

Definition  2.1.2.  A  nonzero  integer  p  is  called  prime  if  its  only  divisors  are  ±1  and  ±p. 

EXAMPLE  2.1.3.  -5,  3,11,  and  29  are  prime  but  24  is  not. 

Definition  2.1.4.  Let  a,b  eZ,  not  both  zero.  The  greatest  common  divisor  (gcd)  of  a 

and  b  is  the  largest  d  gZ  that  divides  both  a  and  b.  Equivalently,  d  is  the  gcd  of  a  and  b 
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provided  that: 


(0  d\a  and  d\b', 

(ii)  c\a  and  c\b  c  <d.  (for  all  c  G  Z+) 

EXAMPLE  2.1.5.  The  gcd  of  8  and  36  is  4. 

Definition  2.1.6.  If  gcd{a,b)  =  1,  then  a  and  b  are  called  relatively  prime. 

EXAMPLE  2.1.7.  9  and  25  are  relatively  prime. 

2.1.2  Congruence 

This  section  continues  the  concept  of  divisibility,  while  also  introducing  congruence  and 
congruence  classes.  Once  again,  these  definitions  and  concepts  are  taken  from  [3]. 

Definition  2.1.8.  Let  a,  n  G  Z  with  n>  0.  Then  a  is  congruent  to  b  modulo  n  provided 
that  n\{a  —  b)  ox  n\{b  — a).  Note:  This  is  written  as  a  =  b  (mod  n) . 

EXAMPLE  2.1.9.  23  =  11  (mod  6)  since  6|(23  -  11).  Also,  4  =  13  (mod  3)  since 
31(13-4). 

IfwealterthesecondpartofExample2.1.9, notethat4=  16  (mod  3), 4=  19  (mod  3), 4  = 
22  (mod  3), . . .  This  allows  us  to  define  the  notion  of  a  congruence  class. 

Definition  2.1.10.  Let  a,  n  G  Z  with  n>  0.  The  congruence  class  of  a  modulo  n  (denoted 
[a])  is  the  set  of  all  integers  congruent  to  a  modulo  n,  i.e., 

[a]  =  G  Z  and  b  =  a  (mod  n)}. 

EXAMPLE  2.1.11.  In  congruence  modulo  4,  [3]  =  {. . . ,  —9,  —5,  —1,3,7, 11,15, 19, . . .}, 
sometimes  also  denoted  [3]4.  Also,  note  that  [3]4  =  [— 1]4.  In  some  circles,  [3]4  is  also 
called  the  residue  class  of  3  mod  4. 

The  next  logical  question  is  how  many  congruence  classes  are  there  for  a  given  n?  After 
all,  [3]4  =  [— 1]4  =  [7]4  =  [11]4  =  ■  ■  ■ ,  but  [2]4  ^  [3)4.  The  answer  lies  in  Definition  2.1.12. 
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Definition  2.1.12.  The  set  of  all  congruence  classes  modulo  n  is  a  partitioning  of  the  set  Z 
into  n  distinct  equivalence  classes,  given  by 


Z„  =  {[0],[l],[2],...,[n-1]}. 

EXAMPLE  2.1.13.  Z4  =  {[0],  [1],  [2],  [3]}.  This  means  that  the  elements  of  Z4  are  con¬ 
gruence  classes  and  not  integers.  Here  are  the  elements  of  Z4: 

[0]  =  -8, -4, 0,4, 8, 12,...} 

[!]  =  {.. .,-7,-3,l, 5,9,13,...} 

[2]  =  {...,-6,-2,2,6,10,14,...} 

[3]  =  {..., -5,-1, 3,7,11, 15,...}. 

The  important  distinction  here  is  that  while  each  congruence  class  in  Z„  has  infinitely 
many  elements  [3],  there  are  only  a  finite  number  of  distinct  congruence  classes  in  Z„. 
Thus,  while  it  is  true  that  [— 3]4  =  [1]4  =  [5)4  =  [9)4,  the  distinct  classes  of  Z4  are 
[0],[l],[2],and[3]. 

2.1.3  Modular  Arithmetic 

Ever  since  grade  school,  we  have  performed  operations  on  the  integers.  The  integers, 
however,  are  an  infinite  set,  and  the  set  we  are  interested  in,  Z„,  is  a  finite  set.  We  would 
like  a  way  to  perform  operations  on  Z„,  and  this  is  where  modular  arithmetic  emerges. 

Returning  to  the  idea  of  congruence,  recall  that  a  =  b  (mod  n)  «^=^  n\{a  —  b).  This  number 
n  is  called  the  modulus,  and  in  the  context  of  this  congruence,  mod  represents  a  relation  on 
the  integers  [4].  We  now  introduce  some  new  notation  that  is  closely  related. 

If  we  were  asked  to  compute  ^  in  grade  school,  most  of  us  resorted  to  long  division 

2. 

4)71 

8 

3 
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In  traditional  grade  school  terminology,  4  is  the  divisor,  1 1  is  the  dividend,  2  is  the  quotient, 
and  3  is  the  remainder.  In  the  context  of  abstract  algebra  and  cryptography,  the  remainder 
(sometimes  called  the  residue)  is  often  the  object  that  garners  the  most  attention. 

Definition  2.1.14.  The  notation  r  =  a  mod  d,  where  a  is  the  dividend,  d  is  the  divisor,  and 
r  is  the  remainder,  represents  the  smallest  positive  remainder  when  a  is  divided  by  d. 

EXAMPLE  2.1.15.  1 1  mod  4  =  3,  — 7  mod  4=1,7  mod  4  =  3,  136  mod  13  =  6.  Note: 
—7  mod  4=1  since  —7  =  4(— 2)  +  1  as  a  result  of  the  division  algorithm  (omitted  by 
assumption  of  reader  knowledge). 

The  notation  modn  is  a  function,  but  is  closely  related  to  the  mod  defined  in  congruence. 
The  relationship  is  given  by  Theorem  2.1.16  [4]. 

Theorem  2.1.16.  Let  a,b  G  Z  and  let  n  G  (set  of  positive  integers).  Then  a  =  b 
(mod  n)  «^=^  a  mod  n  =  b  mod  n. 

Proof:  a  =  b  (mod  n)  n\{a  —  b)  a  —  b  =  nk,kGZ{*). 

Then  a  =  nk  +  b,  so  we  let  r  =  a  mod  n.  Then  3q  G  Z  such  that  a  =  nq  +  r,0  <  r  <  n  by 
the  Division  Algorithm.  Now  substitute  a  =  nq  +  r  into  (*). 

nq-\-r  —  b  =  nk 
n{q  —  k)+r  =  b,  {q  —  k)&Z 
r  =  b  mod  n 

b  mod  n  =  a  mod  n 

(^)  Let  r  =  a  mod  n  =  b  mod  n.  Then  a  =  nq\  +  r  and  b  =  nq2  +  r.  Solving  these  equations 
for  r,  we  have  r  =  a  —  nq\  and  r  =  b  —  nq2.  Therefore, 

a  —  nqi  =  b  —  nq2 
a  —  b  =  nqi  —nq2 

a-b  =  n{qi-q2),  {qi-q2)eZ 
n\{a  —  b) 
a  =  b  (mod  n) 
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Armed  with  this  knowledge,  we  can  now  define  arithmetic  on  Z„.  The  two  operations  that 
we  are  concerned  with  are  addition  and  multiplication. 

Definition  2.1.17.  Addition  and  multiplication  in  Z„  are  defined  by 

[a]n  +  [b]n  =  [a  +  b]n  =  {a  +  b)  mod  n 
[a]n  ■  [b]n  =  [ab]n  =  {a-b)  mod  n. 

EXAMPLE  2.1.18.  In  Z6,  [3]  +  [2]  =  [5],  [4]  +  [5]  =  [3],  and  [3]  ■  [2]  =  [0], 

2.2  Abstract  Algebra  Concepts 

The  remaining  portion  of  this  chapter  will  focus  on  the  abstract  algebra  concepts  at  the 
heart  of  cryptography.  For  a  truly  deep  understanding  of  these  topics,  the  reader  should 
consult  an  algebra  reference  with  a  cryptographic  focus  such  as  Fraleigh  [2]  or  Rudolf  Lidl 
and  Harald  Niederreiter  [5] . 

2.2.1  Binary  Operations 

We  first  need  to  define  a  few  operations  on  mathematical  sets.  It  is  assumed  that  the  reader 
has  some  basic  knowledge  of  set  theory. 

Definition  2.2.1.  Let  A  and  B  be  sets.  The  Cartesian  product  of  A  and  B  is  given  by  the 
set  A  X  B,  defined  [2]  as 


AxB  =  {{a,b)  :  aeA  and  b  G  B}. 

EXAMPLE  2.2.2.  If  A  =  {a,b}  and  B  =  {y,z},  then  A  x  B  =  {(a,y),  (a,z),  {b,y),  {b,z)}. 

For  the  purposes  of  upcoming  material,  we  will  often  be  concerned  with  the  Cartesian 
product  of  two  sets  which  are  the  same,  i.e.,  A  x  A.  Consider  Z,  the  set  of  integers,  and  the 
familiar  operation  of  addition.  If  we  take  two  arbitrary  integers,  say  u  and  v,  and  perform 
addition  on  them,  we  get  back  another  integer  w  (of  course  w  may  or  may  not  be  equal  to  u 
or  v).  We  have  just  defined,  albeit  informally,  a  binary  operation  on  Z. 

Definition  2.2.3.  A  binary  operation  [2]  on  a  nonempty  set  S  is  a  function  mapping  SxS 
into  S,  given  mathematically  as  f  :  S  x  S  ^  S. 
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This  operation  is  symbolized  by  *,  to  indieate  any  general  funetion  satisfying  the  definition. 
For  example,  addition  is  not  the  only  binary  operation  on  Z  (multiplieation  as  well).  In 
other  words,  assuming  (a^b)  G  5  x  5,  a  binary  operation  *  on  5  assigns  (a^b)  to  a* b  e  S. 

2.2.2  Groups 

We  now  turn  our  attention  to  one  of  the  oldest  algebraie  systems  in  mathematies — groups. 
Group  theory,  or  the  study  of  groups,  was  introdueed  by  Evariste  Galois.  In  this  sense, 
group  theory  is  also  known  as  Galois  theory.  Galois  was  a  19th  eentury  Freneh  mathemati- 
eian  who  lived  just  20  years,  meeting  his  fate  following  a  pistol  duel.  Despite  spending  the 
majority  of  his  teen  years  trying  to  gain  aeeeptanee  into  sehool  and  failing,  Galois  did  man¬ 
age  to  reeord  his  diseoveries.  One  of  these  results  involved  the  solvability  of  an  algebraie 
equation  of  high  order  using  radieals;  the  method  beeame  known  as  group  theory  [6]. 


Definition  2.2.4.  A  group  is  a  nonempty  set  G  together  with  a  binary  operation  *  that 
satisfies  the  following  axioms: 

1.  Closure:  If  a,b  &  G,  then  a*b  e  G.^ 

2.  Associativity:  {a*b)*c  =  a*{b*c)  \/  a,b,c  E  G. 

3.  Existenee  of  an  identity:  3  e  G  G  sueh  that  'i  a  eG,  a*e  =  a  =  e*a. 

4.  Existenee  of  an  inverse:  V  a  G  G,  3  a'  G  G  sueh  that  a*a'  =  a'  *a  =  e. 

A  group  is  abelian  (sometimes  ealled  eommutative)  if  it  also  satisfies  the  following 
axiom: 

5.  Commutativity:  a*b  =  b*a  \/a,bEG. 


EXAMPLE  2.2.5.  (Z,  -|-)  is  an  abelian  group.  The  sum  of  any  two  integers  is  another 
integer;  the  addition  is  assoeiative.  The  identity  element  in  Z  is  0  and  the  inverse  element 
is  just  the  element  of  opposite  sign.  Also,  addition  of  integers  is  eommutative. 

EXAMPLE  2.2.6.  ({[0],  [1],  [2], . . . ,  [n  —  1]},  [a  -f  (?]„)  is  a  group  under  addition  modulo  n. 

'Some  texts  do  not  include  this  axiom  since  closure  is  an  inherent  property  of  a  binary  operation. 
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EXAMPLE  2.2.7.  The  set  of  all  nxn  matrices  with  real  entries  under  matrix  multiplica¬ 
tion  is  not  a  group.  In  particular,  the  zero  matrix  has  no  inverse. 

With  regard  to  Examples  2.2.5  and  2.2.6,  (Z,  -h)  is  an  example  of  an  infinite  group  because 
it  contains  infinitely  many  elements.  The  second  example  is  di  finite  group  because  it  con¬ 
tains  a  finite  number  of  elements.  The  number  of  elements  in  a  finite  group  G  is  the  order 
of  the  group  [5].  For  those  familiar  with  set  theory,  this  term  is  analogous  to  the  cardinality 
of  a  finite  set.  We  also  sometimes  refer  to  a  group  under  addition  as  an  additive  group, 
while  a  group  whose  binary  operation  is  multiplication  is  called  a  multiplicative  group. 

A  convenient  way  to  display  a  group  under  its  binary  operation  is  via  the  Cayley  table, 
sometimes  also  called  a  group  table  or  addition/multiplication  table.  In  this  table,  the  ele¬ 
ments  of  a  group  G  are  placed  along  the  top  row  and  leftmost  column,  and  the  (/,  j)  entry 
in  this  table  represents  at  *  bj.  For  example.  Table  2.1  displays  the  group  Z5  under  addition 
modulo  5. 


-1- 

[0] 

[1] 

[2] 

[3] 

[4] 

[0] 

[0] 

[1] 

[2] 

[3] 

[4] 

[1] 

[1] 

[2] 

[3] 

[4] 

[0] 

[2] 

[2] 

[3] 

[4] 

[0] 

[1] 

[3] 

[3] 

[4] 

[0] 

[1] 

[2] 

[4] 

[4] 

[0] 

[1] 

[2] 

[3] 

Table  2.1:  The  Cayley  Table  for  Z5. 


There  is  much  more  detail  in  the  realm  of  group  theory,  but  that  is  beyond  the  knowledge 
required  for  this  thesis.  The  interested  reader  should  consult  [2, 5]  for  a  deeper  look. 

2.2.3  Rings 

We  now  move  on  to  the  concept  of  a  ring,  in  which  two  binary  operations  and  additional 
axioms  are  now  defined.  While  the  origins  of  a  ring  date  back  to  the  mid- 19th  century,  the 
formal  definitions  of  a  ring  and  ring  theory  did  not  appear  until  the  early  1900s.  William  R. 
Hamilton  first  described  a  complex  number  system  coined  the  quaternions,  in  which  he  at¬ 
tempted  to  apply  vector  algebra  to  3-dimensional  space.  This  formed  the  basis  upon  which 
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subsequent  mathematieians  attempted  to  study  finite  eommutative  and  noneommutative  al¬ 
gebras.  Israeli  mathematieian  Abraham  Fraenkel  and  Japanese  Shezo  Sono  are  eredited 
with  defining  the  eoneept  of  a  ring  in  1914  and  1917,  respeetively.  Emmy  Noether  and 
Emil  Artin  formally  theorized  rings  in  the  1920s,  and  ring  theory  took  off  from  there  with 
the  works  of  Wolfgang  Krull  and  others  [6,7]. 


Definition  2.2.8.  A  ring  {R,+,-)  is  a  nonempty  set  R  together  with  two  binary  operations 
+  and  ■,  whieh  we  eall  addition  and  multiplication,  sueh  that  the  following  axioms  are 
satisfied  [2,5]: 

1.  {R,  -b)  is  an  abelian  group. 

2.  Multiplieation  is  assoeiative,  i.e.,  {a- b)  ■  c  =  a  -  {b  ■  c)  \/  a,b,c  e  R. 

3.  The  distributive  laws  hold,  i.e.,  V  a,  b,  c,  G  R,  we  have  a  -  (b  +  c)  =  a-b  +  a-c  and 
{b  +  c)  ■  a  =  b  ■  a  +  c  ■  a. 


EXAMPLE  2.2.9.  The  set  of  integers  Z  is  a  ring  with  the  usual  addition  and  multiplieation. 
Verifieation  of  the  axioms  is  left  to  the  reader. 

Some  rings  have  additional  speeial  properties  that  are  worth  noting.  A  ring  is  commutative 
if  the  multiplieation  operation  ■  is  eommutative.  Also,  a  ring  is  ealled  a  ring  with  identity 
if  R  eontains  a  multiplieative  identity,  i.e.,  there  exists  an  element  e  sueh  that  a  -  e  =  a  = 
e  -a  W  a  E  R.  Thus,  Z  is  a  eommutative  ring  with  identity  [5]. 

EXAMPLE  2.2.10.  The  set  of  even  integers  with  the  usual  operations  is  a  ring;  in  faet  it 
is  a  eommutative  ring.  The  set  of  odd  integers  is  not  a  ring  sinee  elosure  under  addition  is 
not  satisfied. 

EXAMPLE  2.2.11.  The  sets  Q,  C,  and  M  are  all  eommutative  rings  with  identity. 

2.2.4  Fields 

The  interesting  thing  about  fields  is  that  mathematieians  were  studying  them  well  before 
the  formal  eoneept  of  a  ring  was  defined,  yet  we  often  define  fields  as  a  speeial  type  of 
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ring.  Niels  Abel  and  Galois  inferred  the  idea  of  afield  with  their  work  on  the  solvability 
of  equations  circa  the  1830s;  it  was  not  until  1879,  when  Richard  Dedekind  published  an 
explicit  definition  for  a  field,  that  stimulation  in  the  subject  arose.  Dedekind  focused  on 
infinite  sets,  whereas  Heinrich  Weber  discussed  the  notion  of  finite  fields  in  1893.  It  was 
Galois,  however,  that  perhaps  influenced  the  development  of  field  theory  the  most.  As  a 
result,  finite  fields  are  also  known  as  Galois  fields  [2,6]. 

Definition  and  Examples 

Definition  2.2.12.  A  field  F  is  a  commutative  ring  R  with  identity  e  fiO  also  satisfying  the 
following  axiom  [3]: 

★  V  a  7^  0  G  R,  the  equation  ax  =  e  has  a  solution  in  R  [every  nonzero  element  has  a 
multiplicative  inverse]. 


An  alternative  definition  of  a  field  given  by  Fraleigh  [2]  and  Lidl  and  Niederreiter  [5]  is 
perhaps  more  appealing  to  the  mathematically  inclined: 


Definition  2.2.13.  (i)  A  ring  with  a  multiplicative  identity  is  called  a  ring  with  identity, 

the  identity  is  often  called  unity. 

(ii)  A  ring  in  which  multiplication  is  commutative  is  called  a  commutative  ring. 

(iii)  A  ring  is  an  integral  domain  if  it  is  a  commutative  ring  with  identity  e  fiOm  which 
ab  =  0  a  =  0  or  b  =  0. 

(iv)  A  ring  is  called  a  division  ring  if  the  nonzero  elements  of  R  form  a  group  under 
multiplication  (every  nonzero  element  has  a  multiplicative  inverse  in  R). 

(v)  A  commutative  division  ring  is  called  a  field. 


Breaking  down  Definition  2.2.13,  a  field  is  a  ring  on  which  two  binary  operations  (called 
multiplication  and  addition)  are  defined,  also  containing  a  unique  zero  element  and  identity 
e  fiO.  Since  a  field  is  a  commutative  division  ring,  its  nonzero  elements  form  an  abelian 
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group  under  multiplication.  Part  (iii)  of  the  definition  guarantees  that  a  field  has  no  zero 
divisors,  since  all  nonzero  elements  have  a  multiplicative  inverse. 

EXAMPLE  2.2.14.  Q,  M,  and  C  are  all  fields.  However,  Z  is  not  a  field  since  not  all 
nonzero  elements  have  a  multiplicative  inverse,  e.g.,  3x  =  I  has  no  solution  in  Z. 

EXAMPLE  2.2.15.  In  general,  Z„  is  not  an  integral  domain  and  thus  not  a  field,  but  when 
n  =  p  a  prime,  Zp  is  an  integral  domain  and  thus  a  field  (proof  omitted).  For  example,  in 
Z4  we  have  2-2  =  0  but  2^0. 

Finite  Fields 

Example  2.2.15  from  above  illustrates  a  concept  which  is  at  the  heart  of  cryptography,  that 
of  the  finite  field.  A  finite  field  is  a  field  that  contains  only  finitely  many  elements.  While 
the  theory  of  finite  fields  is  very  deep  and  mathematical,  the  background  presented  here  is 
enough  to  give  the  reader  a  baseline  of  knowledge.  Lidl  &  Niederreiter  [5]  devote  an  entire 
text  to  the  subject. 

Recall  that  we  denoted  the  set  of  all  congruence  classes  modulo  n  as  Z„.  By  noting  that 
this  set  is  also  the  set  of  possible  remainders  when  a  positive  integer  is  divided  by  n,  we 
can  also  refer  to  this  as  the  set  of  residue  classes  modn.  We  now  define  an  ideal,  which  is 
a  subring  7  of  a  ring  R  such  that  for  all  a  G  7  and  r  G  Rwe  have  ar  E  J  and  ra  G  7.  Note, 
for  7  to  be  a  subring,  7  must  be  closed  under  +  and  ■  and  also  satisfy  the  ring  axioms. 
An  ideal  7  partitions  a  ring  R  into  disjoint  sets  (called  cosets);  these  disjoint  sets  are  the 
residue  classes  modulo  7.  The  entire  set  of  residue  classes  modulo  7  form  a  ring  with  the 
operations  induced  from  the  operations  of  R  (proof  omitted),  called  the  residue  class  ring 
of  R  modulo  7,  symbolized  by  R/7  [5].  Depending  on  the  source,  some  texts  also  call  this 
R/J  the  factor  ring  (or  quotient  ring)  of  R  by  7  [2]. 

When  we  consider  our  example  from  above,  Z„,  the  residue  class  ring  Z/ (n)  contains  the 
following  elements: 

[0]  =0  +  (n),[l]  =  1 +  («),...,[«-  l]=n  -  l  +  {n). 

Instead  of  (n),  some  texts  also  use  the  notation  nZ  to  represent  the  ideal  of  Z  in  the  factor 
ring  ZjnZ.  The  notation  (n)  is  the  same  as  nZ;  it  is  the  principal  ideal  generated  by  n. 
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i.e.,  the  set  of  all  multiples  of  n  in  Z.  While  not  shown  here,  Z„  is  isomorphie  to  Z/nZ, 
i.e.,  there  is  an  injeetive  and  surjeetive  homomorphism  between  the  two  (preserving  the 
respeetive  operations).  Sinee  Z„  is  a  field  if  and  only  if  n  =  p  a  prime,  then  the  faetor  ring 
Z/nZ  is  a  field  if  and  only  if  n  is  a  prime  [2]. 

The  residue  elass  fields  Z/ (p)  where  p  is  a  prime  form  the  basis  for  the  finite  fields  used 
in  this  thesis.  We  would  like  a  more  eonvenient  representation  and  usage  of  these  residue 
elass  fields.  A  mapping  is  a  eonvenient  way  to  transfer  the  strueture  from  one  set  to  an¬ 
other  [5].  The  set  without  strueture  will  be  denoted  by  GF{p)  =  {0, 1, ...  —  1},  where 

this  is  a  set  of  integers  with  p  elements.  Let  (j)  :  'Ll {p)  — )■  GF{p)  be  a  bijeetive  mapping 
defined  by  ^([a])  =  a  for  a  =  0, 1, . . . , p  —  1.  It  is  not  too  diffieult  to  show  that  (j)  is  also 
a  homomorphism,  i.e.,  ^i[a]  +  [b])  =  ^{[a])  +  ^{[b])  and  ^([a][(?])  =  ^ ( [a] )^ ([(?]).  Sinee 
this  mapping  is  a  bijeetive  homomorphism,  it  ean  also  be  ealled  an  isomorphism,  whereby 
the  strueture  on  GF{p)  is  indueed  by  (j).  Moreover,  sinee  Z/ (p)  is  a  field  when  p  is  prime, 
then  GF{p)  is  a  field  indueed  by  (j).  Note,  we  are  not  stating  that  the  elements  of  Z/ (p)  and 
GF(p)  are  the  same,  only  that  the  strueture  of  a  finite  field  is  transferred  between  the  two. 

The  finite  field  GF(p)  is  so  important  that  it  is  ealled  the  Galois  field  of  order  p  after 
E.  Galois.  For  eoneiseness,  Galois  fields  are  also  denoted  by  Fp  and  will  heneeforth  be 
referred  to  as  sueh  in  this  thesis.  Sinee  the  elements  of  Fp  are  ordinary  integers,  arithmetie 
in  the  field  is  earned  out  modulo  p. 

Consider  the  following  example  for  F2  =  {0,1}  in  Table  2.2. 


-1- 

0 

1 

0 

1 

0 

0 

1 

0 

0 

0 

1 

1 

0 

1 

0 

1 

Table  2.2:  The  Addition  and  Multiplieation  Tables  for  F2,  after  [5]. 


There  are  a  few  more  things  to  say  about  Galois  fields,  but  first  we  need  a  short  buildup. 
We  define  the  characteristic  of  a  ring  as  the  least  positive  integer  n  sueh  that  na  =  0  for 
all  elements  a  in  the  ring  (if  sueh  n  exists,  otherwise  the  ring  has  eharacteristie  0)  [2].  For 
example,  the  ring  Z„  has  eharaeteristie  n  and  the  ring  Q  has  eharaeteristie  0. 
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Let  F  be  a  field  and  K  a  subfield  of  F  (a  subset  that  is  also  a  field  and  closed  under  the  usual 
operations).  Then  F  is  an  extension  field  of  K  [5].  Now,  if  E  is  an  extension  field  of  F  with 
dimension  n  as  a  vector  space  over  F  (see  next  subsection),  then  E  is  di  finite  extension  of 
degree  n  over  F.  If  a  finite  field  F  has  q  elements,  then  E  has  elements  assuming  E 
is  a  finite  extension  of  degree  n  over  F .  We  can  also  regard  F  as  a  vector  space  (see  next 
section)  of  dimension  n  over  F. 


If  F  is  a  finite  field  of  characteristic  p  a  prime,  then  E  contains  exactly  p"  elements  for  some 
positive  integer  n  [2].  This  result  follows  from  the  previous  paragraph.  This  result  implies 
for  every  prime  p  and  every  positive  integer  n,  there  exists  exactly  one  finite  field  with  p" 
elements,  i.e.,  GF{p'^)  =  Fp«  exists,  and  moreover,  it  is  unique  up  to  an  isomorphism. 

Polynomials 

When  we  think  of  our  usual  idea  of  a  polynomial,  we  remember  something  like  x^  +  2x+l 
from  high  school.  In  general,  a  polynomial  can  be  written  as  ao  +  aix-\ - h  or  as  a 

n 

sum  Y.  We  now  expand  this  concept  to  rings. 

i=0 

Let  F  be  a  ring.  A  polynomial  over  R  is  an  expression  of  the  form 

n 

f{x)  =  '^aix’'  =  aQ-\-aix-\ - (2.1) 

1=0 


where  n  is  a  nonnegative  integer  and  the  at  are  elements  of  R  [5].  The  symbol  x  is  no  longer 
called  a  variable,  but  rather  an  indeterminate;  x  does  not  belong  to  R.  Since  F  is  a  ring,  we 

n 

also  need  to  define  its  two  binary  operations,  addition  and  multiplication.  Let  f{x)  =  Y  ^ 

i=0 


n  ,  n  , 

and  g(v:)  =  Y  bix\  The  sum  of  f{x)  and  g(v:)  is  given  by  /(.r)  +g(a:)  =  Y  {ai  +  bi)x\  Now, 

i=0  1=0 

n  ,  m  .  n+m 

let  f{x)  =  Y  and  g(v:)  =  Y  bjxf  Then  the  product  is  given  by  f{x)g{x)  =  Y  , 
1=0  j=0  k=0 

where  Ck=  Y 

i+j=k 


This  ring  F  together  with  the  addition  and  multiplication  operations  above  is  called  the 
polynomial  ring  over  F  [5]  and  is  denoted  by  F[v:] . 

EXAMPLE  2.2.16.  In  ¥2[x],  the  expansion  of  (jc+  I)^  is  (.r+  I)^  =  {x+  I)(.r+  I)  = 
x^  +  2x+l  =x^+l  and  in  general,  {x  +  a)^"  —  x^’'  +  a^". 
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For  cryptography  purposes,  we  are  more  interested  in  polynomials  over  fields  but  the  ap¬ 
proach  is  somewhat  different.  Let  F  be  a  field.  Then  F[x]  is  an  integral  domain  but  not  a 
field  since  v  does  not  have  a  multiplicative  inverse  in  F[x],  i.e.,  in  F[x],  xf{x)  =  1  has  no 
solutions  [2].  We  can  get  around  the  fact  that  F[.r]  is  not  a  field  because  every  integral  do¬ 
main  has  a  field  of  quotients.  This  field  of  quotients  is  denoted  by  F{x)  and  consists  of  all 
quotients  of  the  form  f{x)/g{x),  with  f{x)  and  g(jc)  polynomials  in  F[x]  and  g(jc)  7^  0  [2]. 
F{x)  is  also  called  the  field  of  rational  functions  over  F;  its  elements  are  called  rational 
functions. 

EXAMPLE  2.2.17.  In  the  most  general  sense,  F[x]  is  the  ring  of  polynomials  with  coeffi¬ 
cients  in  some  arbitary  field  F.  F5[.r]  consists  of  all  polynomials  whose  coefficients  are  in 
F5. 

We  now  proceed  to  develop  and  define  two  more  concepts  which  are  essential  to  crypto¬ 
graphic  iunciiom-irreducibility  and  primitivity.  Since  F[x]  has  a  field  of  quotients,  it  is 
natural  to  expect  operations  such  as  division  and  factoring  are  present.  In  fact,  they  are 
and  just  like  with  integers,  the  division  algorithm  can  be  applied  to  polynomials  in  F[x]. 
Likewise,  a  greatest  common  divisor  also  exists  in  F[.r]  as  well  as  a  least  common  multiple. 
The  notion  of  a  prime  polynomial  also  exists  and  the  concept  is  analogous  to  the  integers. 
Two  polynomials  /  and  g  are  relatively  prime  if  gcd{f,g)  =  1.  Similarly,  a  polynomial 
p{x)  is  prime  if  it  has  the  property  that  it  divides  the  product  f{x)g{x)  only  when  it  divides 
one  of  f{x)  or  g(.r).  In  other  words,  the  only  factors  of  p{x)  have  either  the  same  degree  as 
p  or  degree  zero. 

EXAMPLE  2.2.18.  p{x)  =  x^  +  \  is  prime  in  M[.r]  since  it  does  not  factor  into  a  product 
f{x)g{x),  where  f{x)  and  g(jc)  are  polynomials  with  real  coefficients.  It  is,  however,  not 
prime  (i.e.,  composite)  in  C[v] ! 

Definition  2.2.19.  A  polynomial  p  e  F[x]  is  irreducible  overF  (or  irreducible  in  F[x],  or 
prime  in  F[x])  if  p  has  positive  degree  and  p  =  be  with  b^c  e  F[x]  implies  that  either  bore 
is  a  constant  polynomial. 

In  other  words,  an  irreducible  polynomial  cannot  be  factored  further  except  for  a  trivial 
factorization,  i.e.,  p  cannot  be  expressed  as  a  product  gh  both  of  lower  degree  than  the 
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degree  of  p  [2, 5].  It  should  be  apparent  that  the  prime  elements  of  F[x]  are  the  irreducible 
polynomials  over  a  field  F .  Example  2.2.20  illustrates  the  idea  of  irreducibility. 

EXAMPLE  2.2.20.  _  2  e  Q[.r]  is  irreducible  over  the  field  Q  of  rationals  since  it  has  no 

zeros  in  Q.  However,  .r^  —  2  is  reducible  over  M  since  it  factors  in  M[.r]  into 
(x+Vl)  (x-y/l). 


With  the  notion  of  an  irreducible  polynomial,  we  can  now  develop  the  idea  of  primitive 
polynomials.  First  we  need  to  define  the  order  of  a  nonzero  polynomial  over  a  finite  field, 
taken  from  Lidl  et  al. 

Definition  2.2.21.  Let  /  G  F^[.r]  be  a  nonzero  polynomial.  If  /(O)  ^  0,  then  the  least 
positive  integer  e  for  which  f{x)  |  —  I)  is  called  the  order  of  /  and  denoted  by  ord(/)  or 

ord(/(.r)). 

EXAMPLE  2.2.22.  Let  f{x)  =  x'^  +x^  +  I  be  a  polynomial  in  ¥2[x].  The  order  of  /  is  15, 
since  {x^  +x^  +  I)|(.r^^  —  I).  Note  that,  since  we  are  in  F2,  subtraction  performs  the  same 
as  addition  and  we  may  perform  long  division  to  check  divisibility. 


{x'^  +  x^  +  I)|(.r^^  -  I) 


45 


+  I 


x^+x^  +  l 


=  x^^  +x^  +x^  +x^  +  x^  +.r^  +  I 


Now  we  can  present  the  notion  of  a  primitive  polynomial.  Primitive  polynomials  are  used 
in  multiple  cryptographic  applications,  such  as  generating  maximal-period  linear  feedback 
shift  registers  (LFSRs)  or  pseudorandom  numbers.  Primitive  polynomials  are  also  used  in 
many  well-known  algorithms  such  as  Advanced  Encryption  Standard  (AES). 

Definition  2.2.23.  A  polynomial  /  G  [.r]  of  degree  m  is  a  primitive  polynomial  over  the 
field  F^  if  /  is  monic,  /(O)  7^  0,  and  ord(/)  =  q’^  —1. 

Note  that  in  Definition  2.2.23  [5],  the  term  monic  means  that  the  coefficient  of  the  highest 
degree  term  is  one.  A  primitive  polynomial  is  a  monic,  irreducible  polynomial  over  F^  and 
has  a  root  a  G  F^m  that  generates  the  entire  multiplicative  group  of  F^m.  This  is  why  many 
applications  such  as  AES  use  primitive  polynomials  — they  generate  the  entire  Galois  field 
used  in  the  algorithm.  Although  it  is  true  that  a  primitive  polynomial  is  irreducible,  it  is  not 
always  true  that  an  irreducible  is  primitive. 
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EXAMPLE  2.2.24.  The  polynomial  in  Example  2.2.22  is  irredueible  and  primitive.  As 
a  eheek,  /  is  monie  sinee  the  eoeffieient  of  is  one.  We  now  eheek  that  0  is  not  a  zero 
(aka  root)  of  the  polynomial,  and  we  see  that  /(O)  =  0  +  0+  l  =  l.  Finally,  we  require  that 
ord(/)  =  2^  —  1,  whieh  was  verified  as  15  previously. 

2.2.5  Vector  Spaces 

Most  readers  are  familiar  with  the  eoneept  of  a  veetor  spaee  from  a  typieal  eourse  in  linear 
algebra.  In  a  common  text  such  as  Steven  Leon  [8],  a  vector  space  is  defined  with  the 
natural  Euclidean  approach.  A  vector  space  has  two  defined  operations:  addition  and  scalar 
multiplication,  whereby  these  operations  can  be  performed  on  any  vector  within  the  vector 
space.  Consider  the  familiar  two-dimensional  world,  or  x  —  y  plane  denoted  by  Any 
two  vectors  in  can  be  added  together  to  produce  another  vector  in  any  vector  in 
can  be  multiplied  by  a  scalar  in  M  to  also  yield  another  vector  in  This  is  just  one 
example  of  a  vector  space  in  which  closure  of  addition  and  scalar  multiplication  is  satisfied. 
Formally,  Leon  defines  a  vector  space  in  the  following  manner. 

Definition  2.2.25.  Let  L  be  a  set  on  which  the  operations  of  addition  and  scalar  multipli¬ 
cation  are  defined.  By  this  we  mean  that,  with  each  pair  of  elements  x  and  y  in  V,  we 
can  associate  a  unique  element  x  -|-  y  that  is  also  in  V,  and  with  each  element  x  in  V  and 
each  scalar  a  G  M,  we  can  associate  a  unique  element  ax  in  V.  The  set  V,  together  with 
the  operations  of  addition  and  scalar  multiplication,  is  said  to  form  a  vector  space  if  the 
following  axioms  are  satisfied: 

Al.  x-|-y  =  y-l-x  for  any  x  and  y  in  V . 

A2.  (x  -|-  y)  -f  z  =  X  -|-  (y  -|-  z)  for  any  x,  y  and  z  in  V. 

A3.  There  exists  an  element  0  in  V  such  that  x  -t-  0  =  x  for  each  x  G  V. 

A4.  For  each  x  G  V,  there  exists  an  element  — x  in  V  such  that  x  -|-  (— x)  =  0. 

A5.  a (x  -1-  y)  =  ax  -f-  ay  for  each  scalar  a  and  any  x  and  y  in  V. 

A6.  (a  -f  j8)x  =  ax  -t- /3x  for  any  scalars  a  and  j8  and  any  x  G  V. 

A7.  (aj8)x  =  a(j8x)  for  any  scalars  a  and  and  any  x  G  V. 

A8.  1  ■  X  =  X  for  all  x  G  V. 

This  is  a  fine  definition  for  purposes  of  linear  algebra,  but  it  can  be  generalized  using  the 
concepts  of  groups  and  fields. 
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Definition  2.2.26.  [2]  Let  F  be  a  field.  A  vector  space  over  F  is  an  additive  abelian  group 
V  together  with  a  scalar  multiplication  of  each  element  of  V  by  each  element  of  F  on  the 
left,  such  that  for  all  a,b  &F  and  a,j8  G  V,  the  following  conditions  are  satisfied: 

aa  e  y. 

^2-  a{ba)  =  {ab)a. 

Y-i-  {a-\-b)a  =  {aa)-\-{ba). 

Yi,.  =  (^dCX,')  F  ■ 

Y5.  la  =  a. 


In  Definition  2.2.26,  the  elements  a,b  of  an  arbitrary  field  F  are  scalars,  while  a,/3  are 
vectors. 

EXAMPLE  2.2.27.  The  additive  abelian  group  of  all  2  x  2  matrices  over  the  reals  with  the 
usual  scalar  multiplication  involving  matrices  is  a  vector  space  over  M. 

EXAMPLE  2.2.28.  The  complex  numbers  C  form  a  vector  space  over  the  real  numbers. 

The  dimension  of  a  vector  space  V  is  the  number  of  linearly  independent  vectors  needed 
to  span  or  generate  V.  With  this  in  mind,  the  dimension  of  is  two.  A  more  applicable 
example  to  Definition  2.2.26  follows. 

EXAMPLE  2.2.29.  Let  E  be  a  field  with  E  an  extension  field  of  F .  Also,  let  a  G  E,  where 
a  is  an  algebraic  over  F .  By  algebraic,  we  mean  that  there  exists  a  non-zero  polynomial 
f{x)  G  F[x]  such  that  f{a)  =  0.  Now  suppose  that  the  degree  of  a  over  F  is  n.  Then  we 
can  express  the  vectors  in  F(a)  as  a  linear  combination  such  that  { 1,  a,  . . . ,  }  are 

linearly  independent  in  F(a)  over  F .  This  set  of  vectors  also  spans  F {a),  and  thus  it  has 
dimension  n. 
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CHAPTER  3: 
Block  Ciphers 


This  chapter  introduces  cryptography  and  the  necessary  information  on  block  ciphers.  In 
particular,  an  overview  of  the  DBS  is  presented  with  an  eye  towards  each  S-Box  within 
the  algorithm.  For  more  information  on  block  ciphers  and  other  symmetric  algorithms,  the 
reader  should  refer  to  [9-1 1]. 


3.1  Introduction 

Cryptography  is  the  process  of  designing  communication  systems  over  nonsecure  channels. 
The  word  cryptography  is  often  used  interchangeably  with  cryptology,  though  the  latter  is 
technically  the  general  word  for  the  study  of  communication  over  nonsecure  channels  [12]. 
Historically,  we  might  say  that  the  origins  of  cryptography  date  back  to  primitive  man  and 
his  method  of  communication  with  others.  The  first  true  example  of  cryptography,  how¬ 
ever,  probably  lies  with  the  ancient  Egyptians  and  their  use  of  hieroglyphics.  No  matter 
the  civilization  nor  the  timeline,  the  need  to  protect  information  has  always  been  present. 
The  latter  half  of  the  20th  century  introduced  the  digital  computer,  which  ultimately  made 
cryptography  a  required  part  of  everyday  life.  Unfortunately,  as  technology  advances,  so 
do  the  means  by  which  adversaries  break  these  systems  (known  as  cryptanalysis).  As 
stated  in  [11]:  “Cryptography  is  the  only  practical  means  for  protecting  the  confidential¬ 
ity  of  information  transmitted  through  potentially  hostile  environments,  where  it  is  either 
impossible  or  impractical  to  protect  the  information  by  conventional  physical  means.” 


3.2  Secure  Communications 

The  need  for  cryptographic  algorithms  to  protect  data  arises  from  the  basic  communication 
scenario  between  two  (or  multiple)  people  or  entities.  Cryptography  introduces  an  algo¬ 
rithm  or  method  to  convert  a  message  into  an  encrypted  message  and  vice  versa,  so  that 
two  parties  can  communicate  securely  and  not  have  their  message  read  by  another  party. 
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3.2.1  Background 

Consider  the  following  seenario  refereneed  in  Figure  3.1.  In  this  classie  figure,  two  parties, 
Aliee  and  Bob,  want  to  oommunieate  with  eaeh  other.  Meanwhile,  a  potential  adversary 
named  Eve  (Eve  for  eavesdropper),  wants  to  intereept  this  message. 


Encryption  Decryption 


Figure  3.1:  The  Basic  Communication  Scenario  for  Cryptography,  after  [12]. 

Alice  could  send  Bob  a  message  in  the  clear,  i.e.,  unencrypted,  but  Eve  could  easily  in¬ 
tercept  it.  Instead,  Alice  creates  a  plaintext  message  and  encrypts  it  using  an  encryption 
key.  Once  encrypted,  the  message  is  now  referred  to  as  ciphertext.  Bob  receives  the  cipher- 
text  and  decrypts  it  back  to  plaintext  using  a  decryption  key.  Keeping  the  contents  of  the 
message  secure  from  Eve  not  only  depends  on  the  encryption/decryption  method  used,  but 
more  so  on  the  keys.  Encryption  and  decryption  are  encompassed  in  a  cipher. 

The  algorithm  and  the  keys  together  comprise  a  cryptosystem.  With  the  exception  of  the 
one-time  pad^,  every  cryptosystem  can  theoretically  be  broken.  Thus,  great  care  is  taken  to 
create  a  cryptosystem  that  is  mathematically  too  difficult  to  break  in  any  reasonable  amount 
of  time.  Claude  Shannon  introduced  the  concepts  of  confusion  and  diffusion  in  regards  to 
good  cryptosystem  design.  Confusion  means  that  it  is  too  difficult  for  an  adversary  to  detect 
the  outcome  of  the  ciphertext  from  a  one  character  change  in  the  plaintext.  In  an  algorithm 
with  good  confusion,  the  relationship  between  the  plaintext/key  and  the  ciphertext  is  often 
complex.  On  the  other  hand,  diffusion  means  that  few  changes  in  the  plaintext  create  many 
changes  in  the  ciphertext.  Thus,  good  diffusion  implies  that  Eve  needs  a  large  portion  of 
ciphertext  to  determine  the  algorithm  and  conduct  a  statistical  attack  [13]. 

^In  a  one-time  pad,  the  plaintext  is  encrypted  one  character  at  a  time  with  a  random  nonrepeating  set  of 
key  characters.  The  key  characters  are  added  to  the  plaintext  characters  modulo  26;  the  key  is  only  used  once 
and  then  discarded  [9]. 
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3.2.2  Types  of  Algorithms 

There  are  two  types  of  cryptographic  algorithms:  symmetric  and  public  key.  In  a  symmetric 
algorithm,  the  encryption  and  decryption  keys  are  known  to  both  sender  and  receiver  [12]. 
Most  of  the  time  the  keys  are  the  same  and  other  times  they  are  closely  related  by  a  simple 
transformation.  Examples  of  symmetric  algorithms  include  the  DES  and  the  AES.  In 
contrast,  a  public  key  algorithm  uses  two  distinct  keys.  One  of  these  keys,  called  the  public 
key,  is  freely  available  to  any  party.  The  other  key,  called  the  private  key,  is  kept  secret;  each 
party  has  their  own  private  key  that  corresponds  to  the  public  key.  It  is  virtually  impossible 
for  an  adversary  to  deduce  the  private  key  in  a  reasonable  amount  of  time  given  the  public 
key.  In  a  typical  system,  the  encryption  key  is  the  public  key  and  the  decryption  key  is 
the  private  key  [9].  The  most  widely  known  public  key  cryptosystem  is  Rivest-Shamir- 
Adleman  (RSA). 

Symmetric  algorithms  can  be  classified  as  block  ciphers  or  stream  ciphers.  In  a  block 
cipher,  the  message  is  partitioned  into  predetermined  block  sizes,  fed  through  the  algorithm, 
output  in  blocks,  and  concatenated  for  the  receiver  to  interpret.  In  a  stream  cipher,  each 
character  in  the  plaintext  is  encrypted  separately  [13].  Section  3.3  will  cover  more  on  the 
topic  of  block  ciphers,  in  particular  DES. 

3.2.3  Keys 

The  encryption/decryption  keys  are  extremely  important  to  the  security  of  a  cipher.  Algo¬ 
rithms  are  generally  public  knowledge,  therefore  anyone  with  a  brain  can  figure  out  how  a 
plaintext  message  moves  through  the  algorithm.  However,  it  is  a  combination  of  the  algo¬ 
rithm  complexity  and  key  length  that  ultimately  determine  how  secure  a  cryptosystem  will 
be. 

If  Eve  knows  the  key,  then  she  can  read  all  messages  encrypted  with  that  key.  Eve  could 
conduct  an  exhaustive  attack  by  trying  all  possible  keys,  but  if  the  key  is  long  enough,  this 
could  be  infeasible.  Therefore,  it  is  generally  true  that  a  longer  key  is  more  difficult  to 
break  than  a  shorter  one.  Eor  example,  AES  uses  a  variable  key  length  of  128,  192,  or  256 
bits,  where  each  bit  is  either  a  zero  or  one.  Thus,  the  key  space  for  a  256  bit  AES  key  is  2^^^ 
possible  keys,  or  roughly  1.1579  x  10^^.  Eor  some  perspective,  the  Earth  is  approximately 
4.54  billion  years  old  (4.54  x  10^)  while  the  universe  is  roughly  13.8  billion  years  old. 
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From  a  purely  theoretical  standpoint,  let  us  assume  we  have  a  processor  that  can  perform 
10^  encryptions  per  second.  If  a  collection  of  1000  processors  attempts  an  exhaustive 
search  of  all  2^^^  ^  3.4  x  10^^  keys  for  a  128-bit  key,  then  it  would  take  roughly  10^^  years 
to  search  this  space.  Even  if  we  had  access  to  one  of  the  world’s  fastest  computers  in  China 
that  operates  at  33.86  x  10^^  floating  point  operations  per  second  [14],  at  300  operations 
per  encryption  this  would  take  roughly  over  95  quadrillion  years  to  exhaust  the  key  space. 

3.3  Block  Ciphers 

The  history  of  the  term  block  cipher  is  somewhat  vague.  Many  classical  and  historical 
cryptosystems  are  deemed  block  ciphers,  but  the  modern-day  idea  of  a  block  cipher  was 
not  cemented  until  the  1970s.  Some  examples  of  early  block  ciphers  include:  Vigenere  (~ 
1550),  Playfair  (1854),  and  Hill  (1929).  In  1973,  the  National  Bureau  of  Standards  (NBS), 
the  current  National  Institute  of  Standards  and  Technology  (NIST),  issued  a  request  for 
a  cryptosystem  to  become  the  new  national  standard  for  encryption.  NBS  required  this 
standard  to  be  a  block  cipher,  essentially  initiating  the  formal  study  of  block  ciphers.  DES 
and  AES  are  the  two  most  common  examples  of  block  ciphers. 

3.3.1  Definition  and  Design 

Eormally,  a  block  cipher  is  a  pair  of  functions  [15]  E  and  D\ 

E  :  X  V„  — )■  (3.1) 

D  :  X  Vn  — )■  V„.  (3.2) 

In  other  words,  a  block  of  plaintext  of  bit  length  n  is  combined  with  a  key  of  bit  length 
k,  producing  an  encrypted  block  of  ciphertext  of  bit  length  n.  Similarly,  the  decryption 
function  takes  an  n-bit  ciphertext  with  a  k-bit  key  and  maps  the  combination  into  an  n-bit 
plaintext.  In  traditional  math  lingo,  E  and  D  undo  each  other  and  are  thus  inverses. 

Most  modern  block  ciphers  operate  in  iterated  fashion,  meaning  the  blocks  of  plaintext  pass 
through  a  round  function  f  for  a  set  number  of  rounds.  The  purpose  of  this  is  to  increase 
algorithm  security  by  repeatedly  using  the  same  function.  Each  round  uses  a  different 
key  derived  from  the  previous  one,  further  increasing  the  security.  Eigure  3.2  depicts  the 
situation  just  described. 
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Figure  3.2:  General  Structure  of  a  Block  Cipher,  from  [15]. 


There  are  various  ways  to  design  a  cryptosystem  to  achieve  an  adequate  level  of  security 
in  encryption.  The  two  main  design  techniques  are  the  Feistel  system  and  substitution- 
permutation  networks  (SPN).  A  Feistel  system  is  depicted  in  Figure  3.3,  while  SPN  is 
displayed  in  Figure  3.4. 


Figure  3.3:  General  Structure  of  a  Feistel  System,  from  [16]. 


The  Feistel  system  is  named  after  the  German  born  cryptographer  Horst  Feistel.  In  the 
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Feistel  cipher,  the  first  round  is  initiated  with  a  split  of  a  plaintext  block  into  two  halves, 
called  the  left  and  right.  The  right  side  and  the  round  key  pass  through  the  round  function, 
the  result  of  which  is  then  combined  with  the  left  side  via  the  logical  exclusive  or  (XOR) 
(in  binary,  this  is  equivalent  to  addition  modulo  2).  The  result  of  this  XOR  then  swaps  with 
the  preceding  right  side  and  becomes  the  new  right  side  for  the  next  round.  This  process 
then  iterates  over  a  set  number  of  rounds.  After  the  last  round,  the  resulting  left  and  right 
parts  become  the  ciphertext  block.  Since  this  process  must  be  invertible,  decryption  works 
in  the  same  manner  but  in  the  the  reverse  direction. 


Figure  3.4:  Substitution-Permutation  Network,  after  [15]. 


In  the  SPN,  the  encryption  algorithm  makes  use  of  two  basic  cryptographic  operations: 
substitution  and  permutation.  SPNs  are  a  type  of  product  cipher  because  they  involve  more 
than  one  transformation,  i.e.,  substitution  and  permutation,  essentially  mixing  confusion 
and  diffusion  over  and  over  again.  The  plaintext  block  and  the  initial  key  are  combined 
via  XOR,  the  result  of  which  is  then  subdivided  into  smaller  blocks  and  passed  through  a 
substitution  step.  Each  of  the  boxes  in  Figure  3.4  labeled  with  an  S  is  known  as  a  substi- 
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tution  box  (S-Box),  and  these  introduce  confusion  in  the  cipher.  In  the  substitution  step, 
each  character  is  replaced  with  another  character.  A  permutation  step  follows  substitution, 
in  which  the  bits  are  permuted  or  re-ordered.  Permutation  generates  diffusion  in  the  cipher. 
Following  the  permutation  step,  the  resulting  block  is  combined  with  the  next  round  key 
via  XOR  and  the  process  iterates. 

3.3.2  Advantages  and  Disadvantages 

One  of  the  primary  drawbacks  to  any  symmetric  algorithm  is  key  distribution  [13].  If  Alice 
wants  to  talk  to  Bob  using  a  symmetric  algorithm,  then  Alice  and  Bob  need  to  have  the 
same  key.  If  Alice  and  Bob  are  on  separate  continents,  however,  key  distribution  could 
prove  to  be  difficult.  In  addition,  if  Alice  wants  to  talk  with  Charles,  then  she  needs  a 
different  key  than  the  one  used  to  converse  with  Bob.  Key  generation  is  also  an  issue,  but 
this  process  will  be  discussed  more  in  depth  in  Section  3.4.  Block  ciphers  also  present  their 
own  advantages  and  disadvantages  as  displayed  in  Table  3.1. 


Block  Encryption  Algorithms 

Advantages 

•  High  diffusion.  Information  from  the  plaintext  is  diffused  into  sev¬ 
eral  ciphertext  symbols.  One  ciphertext  block  may  depend  on  sev¬ 
eral  plaintext  letters. 

•  Immunity  to  insertion  of  symbols.  Because  blocks  of  symbols  are 
enciphered,  it  is  impossible  to  insert  a  single  symbol  into  one  block. 
The  length  of  the  block  would  then  be  incorrect,  and  the  decipher¬ 
ment  would  quickly  reveal  the  insertion. 

Disadvantages 

•  Slowness  of  encryption.  The  person  or  machine  using  a  block  ci¬ 
pher  must  wait  until  an  entire  block  of  plaintext  symbols  has  been 
received  before  starting  the  encryption  process. 

•  Error  propagation.  An  error  will  affect  the  transformation  of  all 
other  characters  in  the  same  block,  although  there  are  techniques 
of  self-healing  when  implementing  the  block  cipher;  (See  the  next 
section.) 

Table  3.1:  Analyzing  Block  Algorithms,  after  [13]. 
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Additionally,  while  block  ciphers  can  be  used  in  a  variety  of  modes,  they  are  often  more 
difficult  to  analyze  mathematically  than  stream  ciphers.  However,  block  ciphers  are  often 
more  suitable  for  software  implementation  because  they  avoid  bit  by  bit  computations  and 
work  on  blocks  of  information  that  can  be  implemented  in  computers  very  efficiently  [9]. 

3.3.3  Modes  of  Operation 

Recall  that  a  block  cipher  operates  on  a  block  of  plaintext.  Issues  arise,  however,  when  the 
message  size  differs  drastically  from  the  block  size.  For  example,  a  block  cipher  acting  on 
a  block  size  of  128  bits  needs  help  if  the  message  size  is  only  20  bits.  To  account  for  the 
varying  needs  of  users  and  their  messages,  block  ciphers  can  operate  in  a  variety  of  modes. 
The  most  common  modes  of  operation  are  listed  below: 

•  electronic  codebook  (ECB) 

•  cipher  block  chaining  (CBC) 

•  cipher  feedback  (CFB) 

•  output  feedback  (OFB) 

•  counter  (CTR). 

Electronic  Codebook  Mode 

ECB  is  the  most  common  mode  of  operation  for  a  block  cipher.  Given  an  encryption 
function  Ek,  a  plaintext  block  P  is  subdivided  into  smaller  words  P  =  ■  ,Fl]  and 

produces  the  ciphertext  C  =  [Ci,C2, . . .  ,Cl],  where  Cj  =  ExiPj)  is  the  encryption  of  Pj 
using  the  key  K.  In  other  words,  each  of  the  words  in  the  plaintext  is  encrypted  using  the 
same  key  [10, 12].  Since  each  plaintext  block  encrypts  independently  of  another,  this  mode 
is  easy  to  work  with  and  favors  parallel  processing  on  multiple  machines.  Additionally, 
errors  in  transmission  remain  within  the  associated  block  and  do  not  affect  other  blocks. 
However,  the  major  weakness  with  ECB  is  that  identical  blocks  of  plaintext  encrypt  to 
identical  blocks  of  ciphertext.  Due  to  redundancies  in  most  communication,  an  adversary 
can  detect  repetitions  and  build  a  codebook  without  even  knowing  the  key  [9]. 

Cipher  Block  Chaining  Mode 

CBC  incorporates  the  method  of  chaining,  a  feedback  mechanism  that  resembles  a  recur¬ 
sive  operation.  The  encryption  of  a  given  block  depends  on  the  encryption  of  previous 
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blocks.  Using  notation  from  the  previous  paragraph,  encryption  is  defined  as 


Cj=EK{Pj®Cj^,).  (3.3) 

Thus,  as  evidenced  in  Figure  3.5,  the  plaintext  is  XORed  with  the  previous  ciphertext  block. 
Equation  3.3  allows  for  a  value  of  Cq,  which  is  some  chosen  initial  value  represented  as  an 
initialization  vector  (IV).  The  purpose  of  an  IV  is  to  make  each  message  unique,  thus 
alleviating  the  problem  of  identical  plaintext  messages  encrypting  to  the  same  ciphertext 
messages  [9]. 


Figure  3.5:  Cipher  Block  Chaining  Mode,  from  [17]. 


Cipher  Feedback  Mode 

CFB  allows  for  encryption/decryption  of  a  set  of  characters  smaller  than  the  block  size.  In 
this  sense,  CFB  is  a  way  to  implement  a  block  cipher  as  a  stream  cipher.  In  general,  CFB 
operates  on  a  k-bit  mode,  where  k  is  less  than  or  equal  to  the  block  size.  The  plaintext 
P  =  ■  ■  •]  is  broken  down  into  k-bit  chunks,  where  each  Pj  has  k  bits.  Encryption 

is  once  again  started  with  an  IV,  which  can  be  public,  but  it  is  unique  for  each  block  of 
encryption.  Once  the  IV  is  encrypted,  the  left  most  k-bits  of  this  result  are  XORed  with 
the  first  k-bits  of  the  plaintext.  The  result  of  this  operation  is  the  first  chunk  of  ciphertext. 
For  the  next  stream  of  encryption,  this  k-bit  chunk  of  ciphertext  is  then  appended  to  the 
right  side  of  the  IV,  shifting  all  bits  k  positions  to  the  left  (left  most  k-bits  are  discarded). 
Encryption  then  proceeds  in  the  same  manner.  Mathematically,  encryption  is  defined  for 
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j  —  1 , 2, 3, . . on  an  n-bit  plaintext  message  in  the  following  manner: 


Oj=Lk{EK{Xj)) 

(3.4) 

^ 

(3.5) 

Xj^i=R„_k{Xj)\\Cj. 

(3.6) 

Lj^  refers  to  the  leftmost  A:-bits  and  Rn  k  refers  to  the  rightmost  n  —  k  bits;  Xi  is  the  IV  and 
II  refers  to  eoneatenation.  Figure  3.6  depiets  CFB  on  a  5-bit  mode. 
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Figure  3.6:  5-bit  Cipher  Feedback  Mode  on  64-bit  Plaintext,  from  [18]. 
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Output  Feedback  Mode 

Figure  3.7  depicts  OFB  on  a  5-bit  mode.  OFB  is  another  method  of  implementing  a  block 
cipher  in  a  stream  mode.  Just  like  in  CFB,  the  IV  is  encrypted;  the  leftmost  k-bits  of  this 
result  (call  this  Oj)  are  extracted  and  XORed  with  the  first  k-bits  of  the  plaintext,  producing 
the  first  k-bits  of  ciphertext.  For  the  next  stream,  rather  than  use  the  ciphertext  as  the  input 
to  the  next  IV,  OFB  takes  Oj  and  appends  this  chunk  to  the  right  side.  Mathematically, 
encryption  is  defined  for  y  =  1 , 2, 3, . . .,  on  an  n-bit  plaintext  block  in  the  following  manner: 


Oj=Lk{EK{Xj)) 

(3.7) 

'j+i=R,^k{Xj)\\Oj 

(3.8) 

^  ®  Oj- 

(3.9) 
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Figure  3.7:  v-bit  Output  Feedback  Mode  on  64-bit  Plaintext,  from  [18]. 


The  operation  in  both  CFB  and  OFB  involving  appending,  shifting,  and  discarding  bits  is 
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very  similar  to  the  way  that  a  LFSR  works.  LFSRs  ean  quiekly  produee  a  pseudorandom 
sequenee  of  bits  defined  by  a  linear  reeurrenee  relation.  LFSRs  have  wide  usage,  espeeially 
in  military  eryptography  and  for  more  on  the  subjeet  eonsult  [9, 12]. 

While  CFB  and  OFB  operate  in  similar  manners,  there  are  glaring  differenees  with  regards 
to  error  propagation.  In  CFB,  an  error  in  the  plaintext  will  affeet  all  outputs  of  eiphertext 
due  to  the  reeurrenee  relation.  An  error  in  the  eiphertext,  however,  ean  be  flushed  out 
sinee  eventually  the  eiphertext  bloek  with  the  error(s)  will  be  shifted  left  until  disearded. 
The  problem  here  is  that  deeryption  produees  nonsensieal  plaintext  until  errors  are  flushed. 
In  OFB,  errors  in  the  eiphertext  do  not  propagate;  bits  of  eiphertext  that  are  eorrupted 
translate  to  eorresponding  bits  in  the  plaintext  with  eorruption.  Sinee  sueeessive  rounds 
are  not  built  using  eorrupted  eiphertext,  errors  do  not  repeat  into  other  rounds.  OFB  ean 
be  used  offline  sinee  future  streams  do  not  depend  on  the  plaintext  message  being  present. 
However,  various  professionals  sueh  as  Robert  Jueneman  have  shown  that  k-bit  OFB  mode 
is  inseeure  for  values  of  k  less  than  the  bloek  size  [19].  The  key  stream  Oj  has  to  eventually 
repeat,  but  the  eoneern  is  that  this  repeat  happens  with  the  same  key.  When  k  is  equal  to  the 
bloek  size  n,  the  eyele  length  of  key  streams  averages  to  2”  —  1.  When  k  <n,  this  average 
eyele  length  drops  to  2"/^,  making  it  a  mueh  shorter  time  to  find  the  repetition  [9]. 


Counter  Mode 

CTR  mode  is  similar  to  OFB  but  the  output  of  the  eneryption  is  not  used  in  the  next  stream. 
Instead,  the  eneryption  input  veetor  is  ineremented  by  some  eonstant,  typieally  one,  and 
used  in  the  next  register.  The  mode  starts  with  an  IV  of  length  equal  to  the  bloek  length  and 
is  enerypted  with  key  K.  The  leftmost  k-bits  of  this  result  are  XORed  with  the  first  k-bit 
ehunk  of  plaintext  to  produee  the  first  k-bit  pieee  of  eiphertext.  A  new  eneryption  stream 
is  then  ereated  by  adding  one  to  the  IV  and  the  proeess  iterates.  Note  how  the  new  veetor 
does  not  depend  on  the  eneryption  from  the  previous  output.  This  proeess  is  depicted  in 
Figure  3.8. 
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Counter  Counter +  1  Counter +  A^-1 


K  - ^ 

Encrypt 

K  - ^ 

Encrypt 

K  - ^ 

Encrypt 

Pj 

r 

P2 

r 

•  •  • 

Pn 

r 

Pi 

7 

r 

7 

r 

7 

r 

Cl  C2  Cn 


K 


Counter 


^  Encrypt 

r 

7 

r 

(a)  Encryption 
Counter  + 1 


Counter +  A^-1 


^  Encrypt 
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r 
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r 

Pi 

(b)  Decryption 


Figure  3.8:  Counter  Mode,  from  [18]. 


Mathematically,  encryption  in  CTR  mode  is  given  by 


Xj=Xj-,  +  l 

(3.10) 

Oj=Lk{EK{Xj)) 

(3.11) 

^  ®  ^j- 

(3.12) 

3.4  The  Data  Encryption  Standard 

DBS  is  perhaps  the  most  well-known  block  cipher  of  the  last  century.  It  was  for  several 
decades  the  standard  for  data  transmission  in  electronic  commerce.  Although  it  is  no  longer 
secure  enough  for  much  of  our  business  needs  in  the  United  States  (U.S.),  DBS  is  still  in 
use  as  a  primary  system  in  some  parts  of  the  world  and  even  for  lower  level  applications  in 
the  U.S.  such  as  secure  speech  [20]. 
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3.4.1  History 

Although  cryptographic  algorithms  have  been  in  use  for  quite  awhile,  times  of  intensive 
military  eonfliet  have  neeessitated  the  need  for  seeure  eommunieations.  The  world  wars 
forced  militaries  to  ereate  ciphers  to  faeilitate  communication.  The  breaking  of  the  infa¬ 
mous  Zimmermann  Telegram  aeeelerated  the  U.S.  entry  into  WWI.  The  German  Enigma 
machine  was  in  use  for  almost  20  years  before  the  British  and  Polish  were  able  to  deerypt 
its  messages  in  WWII.  Claude  Shannon  gave  us  further  insight  into  making  cryptographie 
algorithms  stronger  following  the  wars,  in  1949.^  Furthermore,  with  computers  coming 
to  the  forefront  in  the  1950s  and  1960s,  the  need  to  protect  data  in  the  eommercial  seetor 
became  apparent  [11]. 

Various  private  industries  began  earnest  work  into  the  development  of  strong  bloek  ciphers 
in  the  late  1960s  [11].  Due  to  wars  and  the  need  for  protecting  government  data,  eryptology 
generally  fell  to  the  hands  of  the  U.S.  Department  of  Defense  and  Department  of  State.  The 
rise  in  eommercial  industry,  however,  engendered  the  need  for  a  publie  encryption  system 
to  be  ereated.  The  NBS  was  eharged  with  the  task  of  finding  this  algorithm. 

At  the  time.  International  Business  Machines  (IBM)  was  already  involved  in  cryptography 
and  algorithm  development.  Aeeording  to  D.  Coppersmith,  IBM  was  asked  in  the  early 
1970s  by  Lloyd’s  of  London  insurance  to  develop  an  eneryption  seheme  for  proteeting 
automated  teller  maehine  (ATM)  data  [21,22].  Offieially,  NBS  issued  a  publie  request 
for  a  national  eryptographie  standard  in  the  1973  Federal  Register.  NBS  speeified  nine 
major  design  principles,  some  of  whieh  ineluded:  ability  to  provide  a  high  level  of  seeurity, 
available  to  all  users,  adaptable  to  multiple  applications,  exportable,  security  depending  on 
the  key  and  not  the  seerecy  of  the  algorithm,  etc.  [9, 13].  Few  products  were  submitted,  and 
none  of  them  met  sufficient  criteria  for  a  standard,  thus  NBS  issued  a  seeond  request  in  the 
1974  Federal  Register. 

IBM  was  already  working  on  an  algorithm  when  NBS  issued  their  request.  At  two  separate 
sites  (Kingston  and  Yorktown  Heights,  NY),  the  IBM  team  eonsisting  of  Roy  Adler,  Don 
Coppersmith,  Horst  Feistel,  Edna  Grossman,  Alan  Konheim,  Carl  Meyer,  Bill  Notz,  Lynn 
Smith,  Walt  Tuchman,  and  Bryant  Tuekerman  developed  an  algorithm  they  dubbed  Lucifer 

^C.  Shannon  wrote  arguably  the  most  influential  paper  of  the  20th  century  on  cryptography  in  1949, 
"Communication  Theory  of  Secrecy  Systems." 


34 


[9, 13,21].  IBM  submitted  Lucifer  to  NBS  in  1974,  who  forwarded  the  algorithm  to  the 
National  Security  Agency  (NSA)  for  review.  After  some  modifications,  NSA  returned  a 
version  which  was  approved  and  published  by  NBS  in  1975  as  DBS.  After  two  years  of 
critique  and  criticism,  NBS  adopted  DBS  as  the  national  standard  in  1977  [9, 12]. 

Brom  its  publication  in  1975,  DBS  has  been  embroiled  in  controversy.  Birst,  the  proponents 
of  Lucifer  were  dismayed  that  the  NSA  reduced  the  key  size  from  128  bits  to  56.  Second, 
the  design  considerations  of  DBS  were  not  released  at  the  time  of  publication.  This  worried 
some  because  many  thought  that  either  IBM  or  the  NSA  had  built  a  “trapdoor”  into  the  al¬ 
gorithm,  i.e.,  a  secret  weakness  to  allow  only  them  to  be  able  to  break  the  system.  However, 
Coppersmith  argues  that  this  was  not  the  case;  IBM  was  circumspect  and  disclosure  of  this 
information  was  to  prevent  cryptanalysis  [21].  Binally,  the  NSA  “characterized  DBS  as  one 
of  their  biggest  mistakes”  [9].  The  NSA  approved  the  standard  with  the  notion  that  DBS 
would  be  a  hardware-only  protocol;  NBS  issued  the  standard  with  enough  information  so 
that  programmers  could  write  DBS  software.  In  this  respect,  DBS  did  more  for  the  field 
of  cryptanalysis,  and  it  came  to  no  surprise  that  the  next  government  standard  algorithm 
(Skipjack)  was  classified  [9]. 

DBS  was  officially  published  on  January  15,  1977,  as  Bederal  Information  Processing  Stan¬ 
dards  (BIPS)  Publication  46.  NBS  required  that  the  standard  be  recertified  and  validated 
every  five  years  after  that.  In  1983,  DBS  passed  the  test  easily.  In  1988,  however,  the  NSA 
had  objections  to  the  standard  and  demurred  that  it  would  not  take  long  for  DBS  to  be  bro¬ 
ken.  Unfortunately,  there  were  no  other  viable  alternatives  available  and  businesses  were 
regularly  using  DBS  for  encryption  needs  [9].  The  standard  was  recertified  and  updated  on 
January  22,  1988,  as  BIPS  Publication  46-2.  DBS  was  again  recertified  in  1993.  By  1997, 
however,  several  methods  were  known  for  attacking  DBS  like  systems,  thus  initiating  the 
search  for  a  replacement.  DBS  was  recertified  on  October  25,  1999,  as  BIPS  Publication 
46-3,  which  also  encouraged  the  use  of  Triple  DBS  (equivalent  of  a  1 12-bit  key)  to  secure 
data  [12].  With  successful  cryptanalysis  occurring  in  1999,  NBS  (now  the  NIST)  convened 
to  select  a  replacement.  Binally,  in  November  2001  ABS  was  published  but  DBS  would 
remain  in  place  until  its  removal  in  May  2005.  Bor  almost  30  years,  DBS  was  the  national 
standard  for  encryption. 
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3.4.2  Algorithm  Overview 


DES  is  a  symmetric  block  cipher  operating  on  blocks  of  64-bit  plaintext.  It  is  a  Feistel 
type  system  whose  round  function  utilizes  SPN  operations.  The  key  is  56  bits  in  length, 
although  it  is  expressed  as  a  64-bit  string;  every  eighth  bit  is  a  parity  check  bit  used  for 
error  detection  and  is  usually  ignored  (see  a  text  on  coding  theory  for  more  on  this  subject). 
Since  encryption  must  be  invertible,  a  64-bit  block  of  plaintext  encrypts  to  a  64-bit  block 
of  ciphertext.  Thus,  encryption  and  decryption  can  be  visualized  [23],  respectively,  as 

KEY (56  bits)  +Plaintext{64  bits)  =  Ciphertext {64  bits)  (3.13) 

KEY (56  bits)  -|-  Ciphertext{64  bits)  =  Plaintext {64  bits).  (3.14) 


Outline 


Figure  3.9  depicts  the  DES  algorithm,  consisting  of  16  rounds.  A  64-bit  block  w  of  plaintext 
is  sent  through  an  initial  permutation  (IP),  to  obtain  wq  =  lP{w).  This  new  block  is  then 
split  into  a  left  and  right  half,  each  32  bits  long,  i.e.,  wq  =  LqRq.  For  16  rounds,  the 
operations  are  the  same.  The  right  half  goes  into  the  round  function  /  while  also  becoming 
the  left  half  of  the  next  round.  The  left  half  is  XORed  with  the  output  of  the  round  function, 
and  the  result  of  this  XOR  becomes  the  right  half  of  the  next  round.  Mathematically,  this 
is  given  for  1  <  z  <  16  as 


Ei=Ri-i  (3.15) 

R,=Li^i®f{Ri^uKi).  (3.16) 

The  notation  Ki  represents  the  zth  key,  but  only  48  bits  from  the  56-bit  key.  After  applying 
the  16th  round  function,  the  left  and  right  halves  are  swapped,  then  go  through  an  inverse 
permutation  to  obtain  the  ciphertext  c  =  IP^^ {R\(^Li^) . 
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Initial  Permutation 


The  IP  actually  occurs  before  the  start  of  the  first  round.  It  does  not  affect  the  security  of 
DBS,  but  it  also  does  not  have  any  cryptographic  significance.  The  best  explanation  is  that 
the  IP  and  inverse  IP  made  data  more  easily  readable  by  processors  in  the  1970s  [9, 12]. 
This  step  is  essentially  a  table  look  up,  read  left  to  right  and  top  to  bottom.  The  IP  is  listed 
below  in  Table  3.2.  For  example,  the  58th  bit  of  w  becomes  the  1st  bit  of  wq,  the  50th  bit 
of  w  becomes  the  2nd  bit  of  wq,  42nd  bit  of  w  becomes  the  3rd  bit  of  wq,  etc. 


Initial  Permutation 


58 

50 

42 

34 

26 

18 

10 

2 

60 

52 

44 

36 

28 

20 

12 

4 

62 

54 

46 

38 

30 

22 

14 

6 

64 

56 

48 

40 

32 

24 

16 

8 

57 

49 

41 

33 

25 

17 

9 

1 

59 

51 

43 

35 

27 

19 

11 

3 

61 

53 

45 

37 

29 

21 

13 

5 

63 

55 

47 

39 

31 

23 

15 

7 

Table  3.2:  DBS  Initial  Permutation,  from  [12]. 


Round  Function 

Recall  that  the  input  to  each  round  function  is  the  right  half  of  the  block  from  the  previous 
round.  The  function  /  has  a  number  of  steps  within  it,  the  first  of  which  is  another  per¬ 
mutation  called  expansion.  This  expansion  permutation  is  depicted  in  Table  3.3,  whereby 
R  is  expanded  to  E  {R) .  Note  that  this  table  has  48  bits  of  output  operating  on  an  input  of 
32  bits.  While  the  reader  will  note  repetitions  in  the  table,  each  input  block  generates  a 
unique  output  block.  The  table  reads  the  same  as  the  IP,  i.e.,  the  32nd  bit  of  the  input  block 
becomes  the  1st  bit  in  the  expansion  block,  etc.  The  purpose  of  expansion  is  not  only  to 
provide  a  block  size  equal  to  the  key  length  for  the  XOR  operation,  but  also  to  exhibit  an 
avalanche  ejfect.  In  other  words,  one  bit  affects  two  substitutions  [9]. 
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Expansion  Permutation 


32 

1 

2 

3 

4 

5 

4 

5 

6 

7 

8 

9 

8 

9 

10 

11 

12 

13 

12 

13 

14 

15 

16 

17 

16 

17 

18 

19 

20 

21 

20 

21 

22 

23 

24 

25 

24 

25 

26 

27 

28 

29 

28 

29 

30 

31 

32 

1 

Table  3.3:  DES  /  Expansion  Permutation,  from  [12]. 


After  expansion,  E{R)  is  then  XORed  with  a  48-bit  subkey  Ki  (key  generation  will  be 
discussed  later).  The  result  of  E  {R)  ©  Ki  is  another  48-bit  string,  which  is  partitioned  into 
6-bit  chunks  labeled  B\B2  ■B%.  These  Bj  then  go  through  a  substitution  step.  Substitution 
is  performed  via  S-Boxes,  whereby  the  input  to  Sj  is  Bj.  The  input  to  each  S-Box  is  a  6-bit 
string,  while  the  output  is  a  4-bit  string.  Substitution  will  be  discussed  in  greater  detail  in 
the  next  subsection. 

The  outputs  of  the  S-Boxes  are  eight  4-bit  chunks,  which  are  concatenated  to  form 
CiC2-"C8.  This  new  string  then  goes  through  another  permutation,  sometimes  known 
as  the  P-Box.  The  P-Box  permutation  is  shown  in  Table  3.4.  This  operation  completes  the 
round  function;  the  layout  of  the  DES  round  function  is  displayed  in  Eigure  3.10. 


Permutation 


16 

7 

20 

21 

29 

12 

28 

17 

1 

15 

23 

26 

5 

18 

31 

10 

2 

8 

24 

14 

32 

27 

3 

9 

19 

13 

30 

6 

22 

11 

4 

25 

Table  3.4:  DES  /  Permutation,  from  [12]. 
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Figure  3.10:  The  DBS  Function  /,  after  [12]. 


Key  Generation 

Recall  that  the  initial  DBS  key  is  64  bits  in  length,  but  every  eighth  bit  is  a  parity  check  bit. 
Thus,  ignoring  the  parity  check  bits,  the  key  is  reduced  to  a  56-bit  string  K.  As  was  written 
in  the  original  registers  [24-26],  the  key  bits  are  then  permuted  via  Permuted  Choice- 1. 
Following  the  first  permutation,  the  key  is  split  into  two  halves  of  28  bits  each,  K  =  CqDq. 
Co  and  Dq  then  undergo  a  left  shift  to  obtain  C\  and  D\.  Bach  bit  in  Cq  and  Dq  will  shift 
left  one  place,  but  in  general  this  is  not  the  case.  In  general  for  1  <  /  <  16,  the  left  shift 
is  described  by  C/  =  LS,(C/-i)  and  D,  =  L5/(Z),_i),  where  LSi  implies  a  left  shift  of  one 


or  two  places  in  the  fth  round.  Both  the  first  permutation  and  left  shift  are  deseribed  in 
Tables  3.5  and  3.6. 


Permuted  Choice- 1 


57 

49 

41 

33 

25 

17 

9 

1 

58 

50 

42 

34 

26 

18 

10 

2 

59 

51 

43 

35 

27 

19 

11 

3 

60 

52 

44 

36 

63 

55 

47 

39 

31 

23 

15 

7 

62 

54 

46 

38 

30 

22 

14 

6 

61 

53 

45 

37 

29 

21 

13 

5 

28 

20 

12 

4 

Table  3.5:  DBS  First  Key  Permutation,  after  [12]. 


Number  of  Key  Bits  Shifted  Per  Round 

Round 

1  2  3 

4  5 

6 

7 

8 

9  10  11  12  13  14  15  16 

Shift 

1  1  2 

2  2 

2 

2 

2 

1  2  2  2  2  2  2  1 

Table  3.6:  DBS  Key  Beft  Shift  Operation,  from  [12]. 


After  the  left  shift,  the  56-bit  string  C,D,'  undergoes  one  final  permutation,  denoted  Per¬ 
muted  Choice-2.  This  seeond  permutation  is  sometimes  also  ealled  a  compression  permu¬ 
tation  because  it  seleets  a  subkey  of  48  bits  from  the  56-bit  input.  The  result  from  Per¬ 
muted  Choiee-2  is  Ki  for  eaeh  round.  This  eompression  is  required  beeause  the  other  input 
to  the  XOR  operation  in  the  round  funetion  is  the  48-bit  expansion  string  E(R).  Permuted 
Choiee-2  is  displayed  in  Table  3.7. 


Permuted  Choice-2 


14 

17 

11 

24 

1 

5 

3 

28 

15 

6 

21 

10 

23 

19 

12 

4 

26 

8 

16 

7 

27 

20 

13 

2 

41 

52 

31 

37 

47 

55 

30 

40 

51 

45 

33 

48 

44 

49 

39 

56 

34 

53 

46 

42 

50 

36 

29 

32 

Table  3.7:  DBS  Seeond  Key  Permutation,  after  [12]. 
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Inverse  Initial  Permutation 


The  final  operation  in  the  DBS  algorithm  is  another  permutation,  the  inverse  of  the  IP. 
After  the  last  round,  the  left  and  right  halves  do  not  swap  but  instead  concatenate  to  form 
the  input  for  IP  ^ .  The  purpose  of  IP  ^  is  to  ensure  that  the  algorithm  can  be  used  for 
decryption.  In  decryption,  the  algorithm  performs  in  the  same  manner,  but  the  order  of  the 
keys  is  reversed  [9, 12].  IP  ^  is  displayed  in  Table  3.8. 


Inverse  Initial  Permutation 


40 

8 

48 

16 

56 

24 

64 

32 

39 

7 

47 

15 

55 

23 

63 

31 

38 

6 

46 

14 

54 

22 

62 

30 

37 

5 

45 

13 

53 

21 

61 

29 

36 

4 

44 

12 

52 

20 

60 

28 

35 

3 

43 

11 

51 

19 

59 

27 

34 

2 

42 

10 

50 

18 

58 

26 

33 

1 

41 

9 

49 

17 

57 

25 

Table  3.8:  DBS  Inverse  Initial  Permutation,  from  [12]. 


3.4.3  Substitution  Boxes 

Recall  that  within  the  DBS  round  function,  the  input  to  the  S-Boxes  are  the  blocks 
B1B2  -Bg.  Bach  of  the  Bj  is  assigned  to  the  corresponding  S-Box  Sj,  where  Sj  is  a  ta¬ 
ble  lookup.  The  6-bit  input  Bj  is  written  as  The  end  bits  bi  and  b(,  are 

used  to  determine  the  row  of  Sf  determine  the  column  of  Sj.  The  entry  in  the 

corresponding  row  and  column  of  the  S-Box  is  the  output.  The  output  of  the  S-Boxes  is 
C1C2  ■  ■  -  Cg,  where  Q  is  a  4-bit  string.  In  this  respect,  each  S-Box  acts  as  a  function  map¬ 
ping  six  bits  of  input  to  four  bits  of  output.  In  fact,  the  S-Boxes  are  represented  by  a  special 
class  of  cryptographic  functions  called  Boolean  functions  (more  on  this  in  Chapter  4). 

Table  3.9  displays  the  first  S-Box  in  its  traditional  manner.  Note  that  each  row  in  the  box 
contains  the  numbers  zero  through  15  exactly  once.  The  reader  might  wonder  how  six  bits 
of  input  will  produce  four  bits  of  output  given  this  form.  Since  a  bit  takes  on  the  value  of 
zero  or  one,  the  S-Box  needs  to  be  converted  to  its  binary  form  (see  Table  3.10). 
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S-Box  1 

ROW/COL 

0 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

0 

14 

4 

13 

1 

2 

15 

11 

8 

3 

10 

6 

12 

5 

9 

0 

7 

1 

0 

15 

7 

4 

14 

2 

13 

1 

10 

6 

12 

11 

9 

5 

3 

8 

2 

4 

1 

14 

8 

13 

6 

2 

11 

15 

12 

9 

7 

3 

10 

5 

0 

3 

15 

12 

8 

2 

4 

9 

1 

7 

5 

11 

3 

14 

10 

0 

6 

13 

Table  3.9:  DES  Substitution  Box  1,  after  [12]. 


S-Box  1 

ROW/COE 

0000 

0001 

0010 

0011 

0100 

0101 

0110 

0111 

00 

1110 

0100 

1101 

0001 

0010 

nil 

1011 

1000 

01 

0000 

nil 

0111 

0100 

1110 

0010 

1101 

0001 

10 

0100 

0001 

1110 

1000 

1101 

0110 

0010 

1011 

11 

nil 

1100 

1000 

0010 

0100 

0100 

0001 

0111 

ROW/COE 

1000 

1001 

1010 

1011 

1100 

1101 

1110 

nil 

00 

0011 

1010 

0110 

1100 

0101 

1001 

0000 

0111 

01 

1010 

0110 

1100 

1011 

1001 

0101 

0011 

1000 

10 

nil 

1100 

1001 

0111 

0011 

1010 

0101 

0000 

11 

0101 

1011 

0011 

1110 

1010 

0000 

0110 

1101 

Table  3.10:  DES  Substitution  Box  1  in  Binary  Eorm,  after  [23]. 


As  a  simple  example,  suppose  B\  =001101.  The  outer  bits  b\b^  =  Ql  determine  the  row 
in  the  S-Box.  The  inner  bits  b2b'ib^bf,  =  0110  determine  the  eolumn.  Thus,  the  entry 
in  5i  is  13,  represented  as  1101  in  binary.  This  is  eonveniently  eolored  for  the  reader  in 
Table  3.10.  Coneatenating  the  remaining  S-Boxes  yields  the  desired  32-bit  string  for  the 
next  permutation. 

The  seeurity  of  the  DES  algorithm  rests  primarily  in  the  S -Boxes.  Eor  many  years,  their 
design  was  shrouded  in  mystery  and  to  some  extent  this  is  true  today.  Although  the  boxes 
appear  to  be  random  shufflings  of  32  rows  of  16  integers,  the  IBM  design  team  elaims  that 
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the  S-Box  design  is  intended  to  thwart  eryptanalysis.  To  investigate  the  elaims  of  an  alleged 

NS  A  trapdoor  emplaeed  in  the  boxes,  the  U.S.  Senate  Seleet  Committee  on  Intelligenee 

eondueted  a  elassified  review  in  1978  and  found  no  evidence  of  wrongdoing  [9].  Although 

the  findings  were  not  released,  the  NSA  confirmed  that  they  did  not  tamper  with  the  inner 

workings  of  DBS.  This  might  appear  a  closed  case  on  the  surface,  but  several  of  the  IBM 

designers  added  further  controversy  to  the  topic  with  their  comments.  Tuchman  and  Meyer 

both  stated  that  the  S-Boxes  were  built  by  IBM  and  unaltered  by  the  NSA  [9].  Coppersmith 

stated  that  the  NSA  “provided  technical  advice  to  IBM”  and  requested  that  S-Box  design 

considerations  be  kept  secret  [21].  Alan  Konheim  stated,  “We  sent  the  S-boxes  off  to 

Washington.  They  came  back  and  were  all  different.  We  ran  our  tests  and  they  passed”  [9]. 

Clearly,  there  is  some  doubt  on  the  veracity  of  either  side  of  the  debate,  but  an  interesting 

/2256 

question  is  why  these  eight  S-Boxes  were  chosen  out  of  the  possible  8!  I 

V  8 

The  NSA  has  since  revealed  several  design  criteria  relating  to  the  construction  of  the  DBS 
S-Boxes  [27].  They  are  summarized  as  follows: 

PI.  No  S-box  is  a  linear  or  affine  function  of  the  input. 

P2.  Changing  1  input  bit  to  an  S-box  results  in  changing  at  least  2  output  bits. 

P3.  S(jc)  and  5(jc  +  001 100)  must  differ  in  at  least  2  bits. 

P4.  S(x)  ^  S(x+1  lefOO)  for  any  choice  of  e  and  /. 

P5.  The  S  boxes  were  chosen  to  minimize  the  difference  between  the  number  of  I’s  and 
O’s  in  any  S-box  output  when  any  single  output  bit  is  held  constant. 

Several  of  the  original  Lucifer  designers  have  also  shed  some  light  on  the  selection  and 
design  of  the  S -Boxes.  Meyer  wrote  that  as  the  number  of  design  criteria  increased,  the 
selection  of  the  appropriate  S-Boxes  was  based  on  the  number  of  terms  in  the  correspond¬ 
ing  boolean  expressions  [11].  According  to  Meyer,  in  order  to  enable  implementation  on  a 
single  logic  chip,  it  was  necessary  to  keep  the  number  of  terms  around  52  and  53.  Copper¬ 
smith  also  wrote  a  detailed  explanation  of  the  eight  S-Box  design  principles  that  were  used 
in  the  original  specifications.  These  criteria  are  listed  below: 

S-1  Bach  S-box  has  six  input  bits  and  four  output  bits  (largest  size  at  the  time  to  put  on  a 
chip). 

S-2  No  output  bit  should  be  too  close  to  a  linear  function  of  the  input  bits  (output  bits 
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cannot  be  a  linear  combination  of  the  input  bits  over  F2). 

S-3  Each  possible  4-bit  output  is  attained  exactly  once  as  the  middle  four  input  bits  range 
over  their  16  possibilities. 

S-4  If  two  inputs  differ  in  exactly  one  bit,  then  the  outputs  must  differ  in  at  least  two  bits. 

S-5  If  two  inputs  differ  in  the  two  middle  bits  exactly,  then  the  outputs  must  differ  in  at 
least  two  bits  (if  A/,j  =  001100,  then  \^Oij\  >  2). 

S-6  If  two  inputs  differ  in  their  first  two  bits  and  are  identical  in  their  last  two  bits,  then 
the  two  outputs  must  not  be  the  same. 

S-7  For  any  nonzero  6-bit  difference  between  inputs.  A//  j,  no  more  than  eight  of  the  32 
pairs  of  inputs  exhibiting  A/,- y  may  result  in  the  same  output  difference  AO,- j. 

S-8  The  case  AO,- j  =  0  follows  (S-7)  but  with  stronger  restrictions. 


There  are  many  similarities  between  the  NSA  list  and  Coppersmith’s,  the  most  important 
property  being  nonlinearity.  Linearity  will  be  discussed  more  in  Chapter  4,  but  a  linear 
algorithm  is  trivially  broken.  If  an  adversary  knows  a  few  pairs  of  plaintext  and  ciphertext 
in  a  linear  algorithm  over  the  same  field,  the  key  can  be  recovered  by  solving  a  simple 
linear  system. 

It  is  true  that  generic  S-Boxes  are  chosen  to  resist  differential  and  linear  cryptanalysis. 
They  are  usually  the  only  nonlinear  part  of  a  cipher,  which  harkens  back  to  the  DBS  design 
criteria.  Although  the  S-Box  itself  is  a  lookup  table,  for  DBS  it  is  a  function  mapping  six 
input  bits  to  four  output  bits.  In  this  sense,  “larger”  S-Boxes  are  generally  more  resistant 
to  statistical  cryptanalysis  [9].  “Larger”  in  this  sense  means  a  greater  number  of  input 
and  output  bits  associated  with  the  mapping.  The  selection  of  S-Boxes  in  a  cipher  is  a 
debatable  issue.  The  DBS  designers  claimed  that  months  of  analysis  went  into  the  selection 
of  the  eight  S-Boxes.  Yet,  a  randomly  designed  S-Box  can  often  achieve  an  adequate 
level  of  resistance  to  attacks.  While  intentionally  designed  S-Boxes  typically  show  strong 
resistance  to  known  attacks,  their  performance  against  unknown  attacks  is  unknown.  On 
the  other  hand,  randomly  selected  S-Boxes  of  large  size  can  provide  an  adequate  level  of 
security  [9]. 
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3.4.4  Cryptanalysis  of  DES 


As  was  mentioned  in  Subsection  3.4.1,  the  security  of  DES  has  always  been  in  question. 
The  key  space  was  obviously  an  immediate  issue.  With  a  128-bit  key,  the  key  space  is 
2^^^  ^  3.4  X  10^^,  but  with  a  56-bit  key  the  key  space  is  much  smaller  at  2^^  ^  7.2  x  10^^. 
Although  this  is  still  a  large  number,  famous  cryptographers  Whitfield  Diffie  and  Martin 
Heilman  (best  known  for  their  invention  of  public-key  crypto)  analyzed  the  results  of  a 
brute  force  attack  in  1976  [9, 28, 29].  In  a  brute  force  attack,  the  cryptanalyst  tries  every 
possible  key  until  ciphertext  decrypts  to  meaningful  plaintext.  Diffie  and  Heilman  theorized 
that  a  special  parallel  computer  costing  roughly  $20  million  could  search  the  entire  DES 
key  space  in  10^  seconds,  or  about  one  day  [28,29].  Even  though  Diffie  and  Heilman 
acknowledged  that  this  type  of  attack  was  only  feasible  for  organizations  like  the  NSA, 
they  predicted  that  DES  would  be  totally  insecure  by  1990  [9]. 

Heilman  independently  proposed  another  attack  known  as  a  chosen  plaintext  attack  in  1980. 
In  a  chosen  plaintext  attack,  the  adversary  is  assumed  to  have  control  of  the  cipher  but 
not  the  key.  Thus,  he  can  encrypt  any  number  of  plaintext  messages  and  try  to  use  the 
corresponding  ciphertexts  to  find  the  key.  In  Heilman’s  method,  the  cryptanalyst  needs 
memory  space  to  store  the  possible  encryptions,  and  he  can  thus  reduce  the  time  to  find  the 
key.  A  single  plaintext  block  is  encrypted  under  all  possible  keys,  with  all  2^^  results  being 
stored  in  memory.  Then  the  cryptanalyst  only  has  to  insert  the  plaintext  into  the  cipher, 
recover  the  corresponding  ciphertext  and  look  the  key  up  in  memory.  Heilman  proposed 
that  a  special  computer  could  do  this  for  $4-5  million,  yielding  100  solutions  per  day  [9,28]. 

Israeli  cryptographers  Eli  Biham  and  Adi  Shamir  were  the  first  to  publicly  announce  the 
method  of  differential  cryptanalysis  in  1990.  At  the  time,  brute  force  was  the  best  known 
possible  attack  against  DES.  Coppersmith  argues  that  IBM  knew  of  this  technique  and 
purposely  designed  the  algorithm  to  defeat  this  technique.  Regardless,  differential  crypt¬ 
analysis  is  another  version  of  a  chosen  plaintext  attack  and  it  revolutionized  the  field  of 
cryptanalysis.  In  this  method,  the  cryptanalyst  starts  with  two  plaintext  messages  p  and 
p' .  These  messages  have  a  known  difference,  whereby  the  difference  between  two  strings 
is  found  by  the  XOR,  i.e.,  Ap  =  p  ©  p' .  Then  the  cryptanalyst  can  find  the  corresponding 
ciphertext  blocks  c  and  c' ,  that  also  have  a  known  difference  Ac.  Knowing  this  difference 
in  ciphertext  pairs  allows  the  cryptanalyst  to  assign  probabilities  to  different  keys  since 
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more  pairs  give  information  about  the  most  probable  key.  Speeifieally,  sinee  we  know 
the  plaintext  and  eiphertext  differenees,  then  we  also  know  the  differenee  in  the  strings 
after  the  key  mixing  XOR  step  (sinee  the  XOR  eaneels  the  key  out  when  looking  at  the 
differenees).  Knowing  this  differenee,  eall  it  AA,  we  ean  infer  differenees  in  the  strings  fol¬ 
lowing  the  S -Boxes  based  on  probabilities.  These  two  differenees  give  information  about 
the  key  [9,21].  As  a  toy  example  for  why  this  works,  eonsider  Example  3.4.1. 

EXAMPLE  3.4.1.  Assume  that  for  some  bloek  eipher,  the  eryptanalyst  Eve  has  aeeess 
to  two  messages  p  and  p' .  She  runs  these  through  the  expansion  box  and  arrives  at  p  = 
01101  and  p'  =  11100.  Thus,  she  ean  easily  ealeulate  the  differenee  between  these,  i.e., 
01 101  ©  1 1 100  =  10001.  She  then  runs  these  bloeks  through  the  key  mixing  step  (reminder 
Eve  does  not  know  the  key),  yielding:  01101©  Xi  =  10010  and  11100©X,  =  00011.  Eve 
then  ealeulates  the  differenee  between  these  two  outputs:  10010  ©00011  =  10001.  Thus, 
Eve  does  not  need  any  information  about  the  key  to  obtain  this.  Now  she  ean  run  the 
bloeks  through  the  S-Boxes  and  obtain  this  differenee,  as  well  as  through  the  P-box  and  get 
this  differenee.  Knowing  all  these  differenees  allows  Eve  to  run  more  messages  through  the 
eipher  and  observe  whieh  of  these  are  more  probable  than  others,  and  she  ean  start  guessing 
at  keys. 

Biham  and  Shamir  first  utilized  differential  eryptanalysis  on  some  redueed-round  DES  vari¬ 
ants.  Eor  a  six-round  DES,  they  showed  that  a  ehosen  plaintext  attaek  broke  the  algorithm 
in  less  than  0.3  seeonds  on  a  personal  eomputer  (pe)  [28, 30].  If  the  eneryption  maehine 
is  not  known,  but  the  plaintext-eiphertext  pair  is  known  (ealled  a  known  plaintext  attaek), 
then  differential  eryptanalysis  reduees  the  spaee  to  2^^  eiphertexts.  Biham  and  Shamir  also 
proved  that  “any  redueed  variant  of  DES  is  breakable  by  a  ehosen  plaintext  attaek  faster 
than  via  exhaustive  seareh”  [28].  A  brute  foree  attaek  on  DES  requires  2^^  operations, 
but  Biham  and  Shamir  broke  DES  with  differential  eryptanalysis  using  a  ehosen  plaintext 
attaek  on  2^^  plaintexts.  Only  2^^  eiphertexts  are  needed,  however,  to  analyze  and  deduee 
the  key.  A  known-plaintext  attaek  on  DES  does  not  reduee  the  operation  spaee.  While 
a  differential  eryptanalytie  method  might  seem  like  a  massive  breakthrough  in  eraeking 
DES,  this  spaee  is  still  unreaehable  in  a  feasible  time  period  for  most  people  and  the  eosts 
are  high.  In  faet,  if  an  exhaustive  key  seareh  of  2^^  operations  is  performed,  assuming  the 
DES  algorithm  ean  be  implemented  at  a  modem  rate  of  1.6  gigabytes/see,  then  a  ehip  ean 
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perform  (1.6  x  109)/64  =  2.5  X  10^  DES  computations  per  second.  Even  at  this  rate,  this 
would  take  2^^/ (2.5  x  10^)  ^  1.4  x  10^  ~  45  years  [31].  Even  in  a  chosen  plaintext  attack 
with  the  ability  to  store  the  entire  search  space,  the  storage  of  2^^  plaintext-ciphertext  pairs 
for  example  requires  upwards  of  280  terabytes  (TB)  [31].  Eor  some  perspective,  the  highest 
capacity  hard  drive  on  the  commercial  market  right  now  has  a  12  TB  capacity  and  it  costs 
over  $1,600. 

At  the  CRYPTO  ’93  Rump  Session,  researcher  Michael  Wiener  proposed  a  design  for  a 
theoretical  DES  brute  force  cracker  that  could  break  the  algorithm  in  an  average  of  3.5 
hours  with  guaranteed  results  in  seven  hours  [9].  Wiener  estimated  the  cost  of  this  machine 
to  be  $1  million;  the  machine  could  conduct  a  key  search  in  parallel  so  that  16  encryptions 
could  occur  simultaneously  [10].  Although  no  one  has  publicly  admitted  to  constructing 
such  a  machine,  this  financial  cost  would  not  be  that  expensive  for  a  large  organization, 
government,  military,  or  country. 

In  1994,  Mitsuru  Matsui  developed  a  new  cryptanalytic  technique  called  linear  cryptanal¬ 
ysis.  In  his  first  paper,  where  he  developed  the  method,  Matsui  reduced  the  search  space  to 
2^^  known  plaintexts  [32].  While  this  equaled  the  work  of  Biham  and  Shamir,  Matsui  im¬ 
proved  the  technique  in  his  second  paper  and  showed  a  complexity  2^^  [33].  This  method 
was  apparently  unknown  to  the  DES  designers. 

Einear  cryptanalysis  is  a  known  plaintext  attack  that  essentially  makes  use  of  a  linear  func¬ 
tion  of  the  input  bits.  There  are  two  parts  to  linear  cryptanalysis,  which  Matsui  refers  to  as 
Algorithm  1  and  Algorithm  2  [32].  The  goal  is  to  find  a  linear  expression 


PIP2P3  ■■■Pm®  C1C2C3  ■■■Cm  =  kik2^3  ' ' ' (3.17) 

where  the  and  ki  are  bit  positions  in  the  corresponding  plaintext,  ciphertext,  and  key, 
respectively,  such  that  the  expression  holds  with  probability  p  ^  0.5.  The  first  step  entails 
finding  linear  equations  or  approximations  relating  bits  of  the  plaintext,  ciphertext,  and  key 
via  the  S-Boxes.  Once  this  linear  relation  is  determined,  the  relation  is  then  expanded  to 
the  other  operations  in  the  cipher  to  arrive  at  a  linear  approximation  for  the  entire  cipher. 
Eor  example,  perhaps  the  second  bit  of  the  plaintext  XORed  with  the  first  and  third  bits  of 
the  ciphertext  equal  the  fifth  bit  of  the  key,  i.e.,  P2  ©  ci  ©  C3  =k^.  However,  since  the  key 
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is  unknown,  the  algorithm  is  initiated  by  setting  the  right  hand  side  of  Equation  3.17  equal 
to  0  or  1 .  Thus,  we  often  start  with  the  linear  equation  ©  p2  ©  •  •  •  ©  ci  ©  C2  ©  •  •  ■  =  0. 

Once  the  expression  is  determined,  the  cryptanalyst  applies  all  possible  input  and  output 
values  to  the  expression  to  determine  the  probability  the  equation  is  true.  By  counting  the 
number  of  times  that  this  equation  is  true  for  a  given  key  bit  value,  we  can  deduce  partial 
key  bits  based  on  probability.  Specifically,  we  find  T^ax  and  Tmin,  where  these  represent 
the  maximum  and  minimum  number  of  plaintexts  such  that  the  left  hand  side  of  Equation 
2.17  is  zero.  If  \Tmax  ~  f  I  >  \Tmin  ~  f  |>  then  the  partial  key  guessed  is  0;  if  the  inequality 
is  flipped,  guess  1  [32,33].  This  guess  acts  on  the  notion  that  for  a  given  key  bit  value, 
this  T  value  is  the  most  likely  set  of  bits  and  the  corresponding  linear  approximation  holds 
with  high  probability.  Although  linear  cryptanalysis  reduces  the  complexity  to  2^^,  it  is  still 
highly  theoretical  and  costly  in  time,  money,  and  processing  power. 

A  more  recent  development  with  linear  cryptanalysis  was  conducted  by  Pascal  Junod  in  his 
master’s  thesis.  By  implementing  Matsui’s  algorithm  on  a  special  processor  optimized 
for  linear  cryptanalysis,  Junod  showed  via  experiment  that  given  2^^  known  plaintext- 
ciphertext  pairs,  the  complexity  of  attack  could  be  reduced  to  2^®  [34]. 

Still,  it  would  seem  that  the  most  popular  approach  to  the  cryptanalysis  of  DES  is  an  ex¬ 
haustive  search  of  the  key  space.  In  1997,  RSA  Data  Security  issued  a  public  challenge 
to  decrypt  a  DES  message  and  find  the  key,  while  also  offering  $10,000  to  the  winner. 
Computer  scientist  Rocke  Verser  took  on  the  challenge  and  submitted  the  correct  key  in 
five  months.  Verser’s  method  included  creating  a  program  to  search  the  key  space  that 
thousands  of  personally  and  corporate  owned  computers  enlisted  processing  time  on  [12]. 

In  1998,  the  second  challenge  was  issued  by  RSA  Data  Security,  but  this  time  the  key  was 
found  in  just  39  days.  Eater  that  year,  the  Electronic  Erontier  Eoundation  (EEE)  started 
a  project  called  “DES  Cracker”  in  the  summer  of  1998,  a  computer  built  specifically  for 
parallel  computing.  Eor  just  $250,000,  EEE  used  DES  Cracker  to  find  a  key  in  56  hours 
[10].  In  1999,  RSA  Eabs  issued  the  third  challenge  which  was  won  by  the  DES  Cracker 
again.  With  100,000  computers  networked  across  the  globe,  the  correct  key  was  found  in 
22  hours  and  15  minutes,  testing  over  245  billion  keys  per  second  [10].  This  essentially 
spelled  the  end  of  DES  as  a  national  standard.  Eor  more  information  on  how  EEE  designed 
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and  implemented  the  DES  Cracker,  the  reader  should  consult  [12]. 

While  brute  force  attacks  as  well  as  linear  and  differential  cryptanalysis  tackle  the  algorithm 
head  on,  there  are  other  means  to  attack  DES  with  known  weaknesses.  One  such  way 
depends  on  the  key  used.  Some  keys  are  better  than  others,  and  specifically  a  key  made  up 
of  all  Os  or  all  Is  or  a  50/50  split  is  considered  weak.  Due  to  the  method  for  key  generation, 
a  key  with  this  makeup  will  be  the  same  key  used  in  every  round  of  the  algorithm  [9]. 

The  other  potential  weakness  is  in  the  actual  design  of  the  S-Boxes.  Several  analysts  have 
studied  the  S-Boxes  and  shown  interesting  relationships.  Davio  et  al.  expanded  on  a  point 
that  Heilman  made  concering  the  redundancy  in  the  fourth  S-Box,  54.  ^4  uses  only  one 
nonlinear  function,  and  as  a  result,  the  last  three  output  bits  “can  be  derived  from  the  first 
one  by  complementing  some  of  the  input  bits  and  by  complementing  the  second  and  third 
outputs  under  control  of  the  variable  [35].  Desmedt  et  al.  proved  that  if  the  input 
to  three  neighboring  S-Boxes  was  changed,  then  the  output  of  the  round  function  /  will 
remain  the  same  under  certain  conditions.  In  this  set  of  conditions,  the  notation  abode f 
represents  the  6-bit  input  to  the  S-Boxes  [36].  The  conditions  listed  below  must  all  be 
satisfied: 

1 .  complement  the  inputs  a,  b  and  e  of  the  middle  three  S-Boxes; 

2.  complement  the  input  c  or  J  of  the  last  S-Box; 

3.  do  not  complement  the  input  /  of  the  middle  three  S-Boxes. 

Additionally,  Shamir  noted  that  by  examining  the  XOR  of  the  output  bits,  there  was  a  clear 
imbalance.  Take  for  example,  5i,  denoted  in  Table  3.10.  If  we  look  at  the  entries  where 
5i  ©  52  ©  ©  ^^4  =  0,  where  si  is  a  bit  in  the  S-Box  output,  then  there  are  seven  such  outputs 

on  the  left  half  of  5i  versus  25  on  the  right  half  [9,37].  Similar  such  imbalance  is  apparent 
in  the  remaining  S-Boxes.  These  are  just  features  of  the  S-Boxes  that  an  adversary  could 
potentially  take  advantage  of. 
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CHAPTER  4: 
Boolean  Functions 


1  am  now  about  to  set  seriously  to  work  upon  preparing  for  the  press  an  account 
of  my  theory  of  Logic  and  Probabilities  which  in  its  present  state  I  look  upon 
as  the  most  valuable  if  not  the  only  valuable  contribution  that  I  have  made  or 
am  likely  to  make  to  Science  and  the  thing  by  which  I  would  desire  if  at  all  to 
be  remembered  hereafter... 


~  George  Boole  in  a  letter  to  William  Thomson,  1851 


The  study  of  BFs  is  a  relatively  old  diseipline  dating  baek  to  the  1800s.  The  study  of 
BFs  in  eryptography,  however,  is  fairly  naseent.  BFs  owe  their  name  to  English  mathe- 
matieian  George  Boole  (1815-1864).  Boole  eame  from  a  poor,  working  elass  family  that 
often  struggled  to  make  ends  meet.  The  young  Boole  became  interested  in  learning  and 
even  taught  himself  Greek  by  the  age  of  14.  Boole  was  forced  into  work  at  the  age  of  16, 
and  subsequently  became  a  teacher  at  a  small  school  in  1831.  From  that  point  forward, 
he  remained  in  academia  until  his  death  in  1864.  Boole’s  most  significant  contribution 
to  mathematics  centered  on  two  publications  in  1847  and  1854,  in  which  he  introduced 
algebra  into  Aristotelian  logic.  The  resulting  Boolean  algebra  became  a  building  block 
of  modern  day  circuit  analysis  and  model  theory.  The  definitive  work  on  Boole’s  life  is 
Desmond  MacHale’s  George  Boole:  His  Life  and  Work,  1985,  but  a  more  concise  synopsis 
is  available  in  [38]. 


4.1  Boolean  Algebra  and  Operations 

Perhaps  the  reader  is  familiar  with  the  Boolean  algebra  used  in  logic  and  circuit  design. 
This  algebra  has  two  operations,  namely  addition  and  multiplication  on  the  set  {0, 1}.  The 
Boolean  sum  and  product  are  given  by  Table  4.1. 
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These  operations  should  not  be  confused  with  the  ones  we  define  for  BFs.  BFs  also  utilize 
a  sum  and  a  product,  but  they  operate  on  vectors  and  not  just  single  bits.  While  the  product 
operation  is  the  same,  addition  of  BFs  uses  the  XOR  and  has  the  truth  table  representation 
in  Table  4.2  (note  this  is  the  same  as  addition  in  the  finite  field  F2). 


Vl 

©  (XOR) 

0 

0 

0 

0 

1 

1 

1 

0 

1 

1 

1 

0 

Table  4.2:  Boolean  Function  Addition. 


For  the  world  of  BFs,  we  consider  a  vector  space  V„  of  dimension  n  over  the  two-element 
field  F2.  Thus,  elements  of  V„  are  vectors  with  n  components  or  in  our  case  bits.  We  also  re¬ 
quire  this  vector  space  to  operate  over  F2.  Given  two  vectors  in  V„,  say  a  =  (ai ,  ^2, . . . ,  a„) 
and  b  =  (Z?i,Z?2,  ■  ■  •  we  define  addition  over  F2  as  [39]: 

a®b  =  {ai®bi,a2®b2,---,an®bn).  (4.1) 

The  bold  font  is  only  used  to  emphasize  that  these  are  vectors,  but  the  notation  a  or  d  is 
sometimes  also  used.  Likewise,  we  also  define  the  scalar  product  of  two  vectors  in  V„  as: 

a-b  =  aibi®a2b2®---®anbn-  (4.2) 
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There  is  one  more  operation  on  BFs  that  we  consider.  This  operation,  denoted  by  resem¬ 
bles  a  concatenation.  This  is  defined  as  =  (aiZ?i,a2^2,  ■  ■  ■  We  can  now  define 

just  exactly  what  a  BF  is. 


4.2  Definitions  and  Representations 


Definition  4.2.1.  [39]  A  Boolean  function  /  in  n  variables  is  a  map  from  to  F2, 


/:V„^F2. 


(4.3) 


Since  the  vector  space  V„  is  over  the  finite  field  F2,  the  vectors  in  the  domain  of  a  BF  are 
binary  vectors.  Thus,  V„  can  also  be  represented  as  the  set  F2  of  all  binary  vectors  of  length 
n  considered  as  an  F2  vector  space  [40].  Given  this  alternate  notation,  other  representations 
of  a  BF  are 


/  :  F^  ^  F2  [40]  (4.4) 

[41].  (4.5) 

It  is  often  more  convenient  to  use  the  notation  given  in  Equation  4.4,  thus  we  will  stick  with 
this  for  the  remainder  of  the  thesis.  A  BF  can  be  uniquely  represented  by  its  truth  table, 
a  (0,l)-sequence  defined  as  (/(vo),/(vi), . . .  ,/(v2«-i)),  where  the  /(v,)  are  the  function 
output  values  and  the  V/  are  ordered  lexicographically  [39]. 


EXAMPLE  4.2.2.  Consider  the  truth  table  for  the  BF,  /  :  F^  — )■  F2  in  Table  4.3.  The 
unique  representation  for  this  BF  is  given  by  the  column  of  outputs  as  a  sequence, 
(0,0, 1,1,1, 1,0,1).  Note  that  this  output  column  is  a  binary  string  of  length  2^ . 
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-^3 

-^2 

-^1 

/ 

0 

0 

0 

0 

0 

0 

1 

0 

0 

1 

0 

1 

0 

1 

1 

1 

1 

0 

0 

1 

1 

0 

1 

1 

1 

1 

0 

0 

1 

1 

1 

1 

Table  4.3:  Truth  Table  of  a  BE 


Example  4.2.2  displays  the  truth  table  representation  for  a  BE,  but  it  deserves  some  more 
explanation.  A  veetor  in  F2  has  n  bits,  and  we  label  the  input  bits  as  Xj  for  I  <  i  <  n.  The 
ordering  of  the  Xi  is  unimportant;  we  ean  order  them  left  to  right  or  right  to  left.  Eaeh  row 
in  the  truth  table  represents  a  veetor  in  F^,  and  ordering  here  is  important.  The  veetor  spaee 
F2  contains  2"  vectors,  whereby  each  vector  V;  is  displayed  in  a  truth  table  by  its  binary 
representation  b{i)  of  /,  0  <  /  <  2"  —  1.  Thus,  in  Table  4.3,  the  eight  vectors  in  F^  are 
ordered  lexicographically  by  their  binary  representations  from  zero  to  seven. 

The  other  way  to  represent  a  BE  is  via  a  polynomial  in 

¥2[xuX2,...,Xn\/ixj-Xl,xl-X2,...,xl-Xn). 

This  polynomial  representation  of  a  BE  is  referred  to  as  the  algebraic  normal  form  (ANF), 
given  as 

f{x)=  f{xi,X2,...,Xn)=  XayWx'f],  G  F2,  =  (ai ,  02,  •  •  • ,  a„) .  (4.6) 

aeFf  \i=l  J 

Equation  4.6  [42]  will  make  more  sense  in  a  bit,  but  first  we  need  to  define  some  more 
terms.  The  Hamming  weight  of  an  arbitrary  vector  in  F^,  denoted  by  wt{x),  is  the  number  of 
Is  in  the  vector  x.  Similarly,  the  Hamming  weight  of  /  is  the  number  of  Is  in  the  truth  table 
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output  sequence.  The  support  (or  on-set)  of  a  BF  /,  denoted  hy  Q.f  =  {a:6IF5:/(a:)  =  1}, 
is  the  set  of  vectors  whose  truth  table  output  is  1  [39,42].  Thus,  we  can  also  define  the 
Hamming  weight  of  /  as  wt(/)  =  The  Hamming  distance  between  two  functions  / 
and  g  is  the  weight  of  f  ®g,  i.e.,  wt{f  ®g). 

The  algebraic  degree  of  /  is  the  largest  value  of  the  Hamming  weight  of  a  such  that  Aa  7^  0 
[42],  or  more  simply  the  number  of  variables  in  the  highest  order  monomial  with  nonzero 
coefficient  [39] . 


EXAMPLE  4.2.3.  Let  us  refer  back  to  Example  4.2.2  for  demonstration  of  these  concepts. 
Below  are  the  truth  table  and  ANF  for  this  function  /.  The  Hamming  weight  of  /  is 
wt{f)  =  5;  the  degree  of  /  is  deg{f)  =  3  since  the  largest  term  in  the  ANF  is  x\X2X^. 


-^3 

•3:2 

Xl 

/ 

0 

0 

0 

0 

0 

0 

1 

0 

0 

1 

0 

1 

0 

1 

1 

1 

1 

0 

0 

1 

1 

0 

1 

1 

1 

1 

0 

0 

1 

1 

1 

1 

ANF  is  X2®X3  ®x  1x2x3 


Table  4.4:  Representations  of  a  BF. 


There  is  an  injective  mapping  from  the  ANF  representation  of  a  BF  to  its  truth  table,  so  that 
given  one  we  can  find  the  other.  There  are  several  ways  to  do  this,  and  we  start  with  the 
algebraic  method.  The  ANF  of  a  BF  is  specified  by  its  support  in  the  following  manner: 

f{xi,X2,...,Xn)  =  Y,  +  +  T=  (Ti,T2,...,T„).  (4.7) 

TGfl/  \!=1  / 

Using  Equation  4.7,  we  can  see  how  the  ANF  of  /  was  computed  in  Example  4.2.3.  Only 
the  vectors  in  the  support  are  considered  for  the  ANF.  In  the  expansion  below,  there  is  no 
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difference  between  the  usual "+"  and  ©;  they  both  represent  the  XOR  operation,  but  merely 
help  to  differentiate  between  vectors. 

ANF  =  (xi  +  l)x2{x^  +  \)®X\X2{x'i  +  1)  ©  (xi  +  l)(x2  +  I)x3©xi(x2  +  1)X3  ®XlX2X'i 

=  {x\  +  \){X2X2,  +X2)®X\X2+X\X2X2  ©  (xi  +  1)(X2X3  +X3)  ©X1X3  +X1X2X3  ©X1X2X3 
=  X1X2X3  +X2X2,  +X1X2  +X2  ©X1X2  +X1X2V3  ©X1X2X3  +X2X2  +X1X3  +.^3  ©X1X3  +V1X2X3  ©Vi.r2X3 
=  XxX2^+^2A7+^JiX2:+X2  ®X^iX2;+XxX2^®XiX2^+^2A7+Ai^+X2  ®^Ji^+XiX2A^®XiX2X'i 
=  X2®X'i®X\X2X2, 


To  convert  back  to  the  truth  table  sequence  from  the  ANF,  the  process  is  the  same  with 
a  minor  difference.  Form  a  table  similar  to  a  truth  table  but  replace  the  output  column 
with  the  ANF  coefficients.  Note  in  Table  4.5  that  in  the  c  column.  Is  appear  in  the  rows 
representing  the  terms  in  the  ANF  X2:X^,  and  x  1X2X2-  Reproducing  the  method  from  the 
preceding  paragraph  will  yield  the  truth  table  output  sequence  for  the  function  /. 


-^3 

-3:2 

a:i 

c 

0 

0 

0 

0 

0 

0 

1 

0 

0 

1 

0 

1 

0 

1 

1 

0 

1 

0 

0 

1 

1 

0 

1 

0 

1 

1 

0 

0 

1 

1 

1 

1 

Table  4.5:  Conversion  from  ANF  to  Truth  Table  Sequence. 


The  other,  somewhat  quicker  method  to  convert  between  the  two  representations  is  the 
Transeunt  triangle  as  proven  by  Shafer  et  al.  in  [43,44].  In  this  method,  either  the  truth 
table  output  sequence  or  ANF  sequence  is  placed  in  a  row.  Then  in  an  inverted  Pascal’s 
triangle  fashion,  the  consecutive  values  in  this  row  are  added  mod  2  (synonymous  with 
©).  The  result  of  the  addition  is  placed  in  the  next  higher  row  between  the  two  values  in 
which  the  operation  was  performed  [43].  The  operations  are  exhausted  until  a  row  with  one 
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entry  is  reached;  the  left  side  of  the  resulting  triangle  is  the  (0,l)-sequence  of  the  desired 
conversion  representation.  In  Figure  4.1,  the  function  /  output  from  Example  4.2.2  is 
placed  on  the  bottom  row  of  the  Transeunt  triangle.  After  the  triangle  is  formed,  the  left  side 
is  the  (0,1)- sequence  of  ANF  coefficients,  which  matches  the  polynomial  in  Example  4.2.3. 
In  an  analogous  way,  if  the  ANF  coefficients  are  placed  on  the  bottom  row,  the  resulting 
triangle  will  reveal  the  truth  table  output  sequence. 


-^3 


XlX2-^3  _ ^ 

0  1 
0  0  1 

1110 
0  10  11 

110  0  10 
0  1  0  0  0  1  1 

0  0  11110  1 
Figure  4. 1 :  Transeunt  Triangle  Representation. 


-^2 


A  BF  whose  algebraic  degree  does  not  exceed  one  is  called  an  affine  function.  An  affine 
function  with  constant  term  equal  to  zero  is  called  a  linear  function  [42,45].  Mathemati¬ 
cally,  an  affine  function  on  has  the  form 

4,cW  =a-x©c  =  aixi©---©a„x„©c,  (4.8) 

where  a  =  (ai,a2, . . .  ,a„)  G  F^,  c  G  F2  [39]. 

EXAMPLE  4.2.4.  An  example  of  an  affine  function,  /  :  F2  — )■  F2,  is  xi  ©X2  ©X4  ©  1,  while 
an  example  of  a  linear  function  is  xi  ©X2  ©X4. 

A  BF  is  called  homogeneous  if  its  ANF  contains  terms  all  of  the  same  degree.  The  linear 
function  in  Example  4.2.4  is  homogeneous.  A  function  such  as  X2X4X5  ©X1X3JC5  ©X3JC4X5  is 
also  homogeneous. 
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4.3  Cryptographic  Properties  of  Boolean  Functions 

Until  this  point,  we  have  diseussed  the  meaning  of  a  BF  and  even  hinted  at  nonlinear 
eomponents  of  a  eryptosystem.  Now  we  need  to  formally  define  properties  of  BFs  that 
make  them  useful  for  eryptography.  BFs  are  used  in  many  symmetrie  key  algorithms,  and 
there  is  a  eorrelation  between  eryptanalysis  and  the  properties  of  the  BFs  used.  There  is 
no  established  set  of  eriteria  for  determining  whieh  mix  of  properties  is  neeessary  in  the 
eonstruetion  of  a  eryptographie  BF,  but  some  are  more  important  than  others.  As  various 
people  have  shown,  the  desired  eryptographie  properties  of  a  BF  generally  depend  on  whieh 
type  of  eryptanalytie  attaek  they  are  to  withstand  and  the  strueture  of  the  algorithm  itself. 

4.3.1  Balance 

Perhaps  the  easiest  property  for  a  BF  to  satisfy  is  balance.  A  BF  is  balanced  if  its  output  is 
equally  distributed  [46].  In  other  words,  a  balaneed  BF  on  n  variables  has  weight  wt{f)  = 
2"^^  In  a  truth  table,  balanee  is  the  property  that  half  the  output  bits  are  1  and  the  other 
half  are  0.  In  this  respeet,  the  question  of  balanee  is  a  binary  yes  or  no  deeision.  By  using 
this  property,  it  ean  be  diffieult  for  an  adversary  to  obtain  statistieal  dependeneies  between 
the  plaintext  and  eiphertext  pairs  [40]. 

4.3.2  Nonlinearity 

Linearity  is  a  cryptographer’s  worst  nightmare. 

~  Pante  Staniea,  Naval  Postgraduate  Sehool  (NPS)  Professor 


In  Subseetion  3.4.3,  we  introdueed  nonlinearity  as  a  design  eriteria  for  the  DBS  S-Boxes. 
It  is  not  surprising  that  many  researehers  and  experts  feel  that  nonlinearity  is  the  most 
important  eriteria  for  a  BF  to  satisfy.  The  linear  eryptanalytie  attaek  takes  advantage  of 
linear  equation  sehemes  to  break  a  eipher,  important  because  linear  equations  can  be  solved 
in  polynomial  time.  While  it  is  not  the  aim  of  this  thesis  to  describe  or  examine  how  to 
construct  strong  nonlinear  BFs,  the  reader  can  delve  more  into  this  topic  in  [40,45,47-51]. 

In  terms  of  characterization,  a  nonlinear  BF  is  a  non-affine  function,  i.e.,  a  BF  whose  ANF 
contains  at  least  one  term  with  algebraic  degree  greater  than  one  [51].  With  respect  to  a 
specific  function,  nonlinearity,  is  defined  as  the  minimum  Hamming  distance  to  the 
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class  of  all  affine  functions,  or  the  distance  to  the  nearest  affine  function  on  F2  [45,46]. 
Since  nonlinearity  is  an  integer  valued  property,  functions  can  have  varying  measures  of 
cryptographic  strength.  In  general,  a  BF  used  for  cryptography  should  have  the  highest 
nonlinearity  possible.  Of  course,  the  nonlinearity  of  /  is  bounded  above  [40,45]  so  that  the 
highest  possible  nonlinearity  is 


Willi  Meier  and  Othmar  Staffelbach  [51]  further  clarified  that  a  cryptographically  good 
nonlinear  function  also  needs  to  be  “invariant  under  a  certain  group  of  transformations.” 
In  their  example,  a  BF  /(.ri,.r2,  ■  •  •  ,-^m)  rnight  contain  all  nonlinear  terms,  but  a  simple 
complement  operation  turns  the  function  into  a  monomial  with  just  one  term.  This  new 
function  under  transformation  is  poor  with  respect  to  the  number  of  nonlinear  terms.  Thus, 
BFs  must  have  a  large  Hamming  distance  to  the  class  of  all  affine  functions  to  provide 
confusion  in  an  algorithm  [40].  Mathematically,  nonlinearity  is  defined  as 


—  min  d  (/,  £) ,  (4.9) 

where  d{f^£)  is  the  Hamming  distance  between  /  and  an  affine  function  £,  and  s^n  is  the 
class  of  all  affine  functions  on  F^.  The  exact  nonlinearity  value  of  a  BF  /  is  given  in  terms 
of  the  Walsh  Transform,  which  will  be  further  explained  in  Section  4.5. 

4.3.3  Correlation  Immunity 

The  notion  of  correlation  immunity  was  developed  in  1984  by  Thomas  Siegenthaler  [52], 
when  he  noted  that  certain  stream  ciphers  were  vulnerable  to  correlation  attacks.  Recall 
that  in  a  stream  cipher,  the  encryption  scheme  enciphers  plaintext  characters  individually. 
As  a  plaintext  bit  moves  through  the  cipher,  a  key  combines  with  the  bit  to  form  the  corre¬ 
sponding  ciphertext.  Each  of  these  plaintext  characters  passing  through  the  cipher  require 
a  key,  but  the  process  for  generating  the  set  of  keys  (key  stream)  is  different  for  every 
cipher.  Many  stream  ciphers  use  the  LFSR  technique  for  key  stream  generation.  In  this 
method,  multiple  LFSRs  are  set  in  parallel,  with  their  outputs  combined  via  a  nonlinear  BF 
to  break  up  the  linearity.  The  resulting  combination  forms  the  key  stream.  In  a  correlation 
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attack,  the  adversary  observes  a  correlation  between  the  individual  LFSR  outputs  and  the 
key  stream  [9,53]. 

Thus,  a  BF  is  correlation  immune  of  order  k  if  its  output  is  statistically  independent  of  the 
combination  of  any  k  of  its  inputs  [46] .  Alternately,  a  BF  f  in  n  variables  is  correlation 
immune  of  order  k,  I  <  k  <  n,  if  P[{x{ii),x{i2),  ■  ■  ■  ,x{ik))\f{x)  =  p\  =  where  x{ii)  is 
the  value  of  the  z-th  bit,  ju  G  F2,  and  P  is  the  conditional  probability  of  an  event  A  given 
event  B. 

EXAMPLE  4.3.1.  Consider  the  following  truth  table  for  a  function  /(v:i,a:2,a:3).  To  check 
that  this  function  is  correlation  immune  of  order  1,  we  must  check  all  1 -variable  subsets 
with  their  possible  values  and  ensure  that  the  outputs  are  independent  of  the  differing  inputs. 
The  case  where  /  =  0  should  also  be  checked,  but  the  result  is  the  same;  P  =  ^  =  2- 


P[.ri=0|/=l]=2/4 
P[^1  =  1|/=1]=2/4 
P[^2=0|/=1]=2/4 

p[^2  =  i|/=i]  =  V4 

P[^3=0|/=1]=2/4 
p[^3  =  i|/=i]  =  V4 


Table  4.6:  A  3-Variable  BF,  Correlation  Immune  of  Order  k=  i. 

4.3.4  Resiliency 

A  year  after  Siegenthaler’s  introduction  of  correlation  immunity,  Benny  Chor  et  al.  intro¬ 
duced  the  term  resiliency  [54].  In  [54],  the  authors  describe  a  function  /  to  be  t-resilient 
if  for  every  subset  T  of  n  input  variables  of  cardinality  t,  f  is  unbiased  with  respect  to  T , 
i.e.,  f  as  a  random  variable  is  unbiased.  In  simpler  fashion,  a  BF  is  k-resilient  if  it  is  both 
balanced  and  correlation  immune  of  order  k  [39]. 

Siegenthaler  was  nevertheless  influential  in  explaining  how  resiliency  relates  to  correla¬ 
tion  attacks.  If  a  function  is  not  k-resilient,  then  a  correlation  can  be  found  between  the 
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output  bits  and  at  most  k  input  bits  [40].  There  is  an  obvious  eonneetion  here  with  the 
algebraie  degree  of  a  BF.  Due  to  Siegenthaler,  we  know  that  for  a  funetion  in  n  vari¬ 
ables  of  degree  d,  and  eorrelation  immune  of  order  k,  the  following  inequality  holds: 
k  +  d  <n  [52].  Furthermore,  we  also  know  that  if  the  funetion  is  balaneed  and  k  <  n—1, 
then  k  +  d  <  n  —  I  d  <  n  —  k  —  1.  In  eryptography,  we  aim  to  make  the  resilieney 
as  high  as  possible.  Resilieney,  along  with  several  of  these  other  properties,  ean  also  be 
deseribed  in  terms  of  the  Walsh  Transform  (see  Seetion  4.5). 


4.3.5  Algebraic  Immunity 

The  eoneept  of  algebraic  immunity  also  arose  from  the  study  of  LFSR  based  stream  eiphers 
vulnerable  to  eorrelation  attaeks.  Nieolas  Courtois  [55]  first  proposed  algebraic  attacks  on 
these  stream  eiphers  that  either  had  a  low-degree  BF  eombiner  or  that  the  BF  eould  be 
approximated  with  a  low-degree  polynomial.  Courtois  and  Meier  [56]  later  proved  that 
this  type  of  attaek  eould  be  applied  by  multiplying  a  high-degree  eombiner  with  a  earefully 
ehosen  low  degree  multivariate  polynomial.  The  idea  behind  an  algebraie  attaek  rests  on 
the  faet  that  an  adversary  has  aeeess  to  some  plaintext  and  eorresponding  eiphertext  bits, 
as  well  as  some  bits  of  the  key  stream.  Sinee  the  key  stream  is  a  result  of  the  eombining 
funetion,  this  is  not  too  wild  of  an  assumption.  The  adversary  then  deduees  a  series  of  low 
degree  multivariate  polynomials  from  eaeh  of  the  eombiner  output  states,  for  whieh  the  key 
bits  are  solutions  to.  The  resulting  system  of  multivariate  low  degree  polynomials  ean  be 
solved  effieiently  and  the  seeret  key  ean  be  reeovered  [42, 53, 55, 56]. 

A  nonzero  polynomial  g  is  ealled  an  annihilator  of  a  polynomial  /  assuming  fg  =  0.  With 
respeet  to  the  preeeding  paragraph,  an  annihilator  of  low  degree  aids  in  the  implementation 
of  an  algebraie  attaek.  Similarly,  we  need  to  eonsider  multiples  of  /,  i.e.,  /  ©I,  sinee  low 
degree  annihilators  of  /©  1  also  give  way  to  algebraie  attaeks  [39,40].  Thus,  the  algebraic 
immunity  of  /,  denoted  by  AI{f),  is  the  minimum  degree  of  g  sueh  that  g  is  an  annihilator 
of  /  or  /©  1,  i.e.,  AI{f)  =  min{deg{g)  :  /g  =  0  or  (/©  l)g  =  0}. 

EXAMPLE  4.3.2.  Given  f{xi  ,X2,X3,X4)  =  X1X2X3X4  and  g(xi,.r2A3  A4)  =xi©X2©X3© 
X4,  the  algebraie  immunity  of  /  is  1,  AI{f)  =  1.  Sinee  fg  =  X1X2X3X4  ©  3:1X2X33:4  © 
X1X2X3X4  ©X1X2X3X4  =  0,  the  minimum  degree  of  g  to  satisfy  this  equation  is  1,  after  [53]. 
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4.3.6  Strict  Avalanche  Criteria  and  Propagation  Criteria 

Recall  that  in  the  explanation  of  the  DBS  round  function,  we  mentioned  the  notion  of  an 
avalanche  effect.  Feistel  [57]  was  the  first  to  use  this  term  with  regards  to  error  detection 
in  codes.  He  noted  that  a  single  error  in  plaintext  could  cause  an  avalanche  of  errors  in 
the  rest  of  the  message  when  encrypted  with  a  computer.  Today,  the  avalanche  effect  is 
observed  if  a  small  change  in  function  input  yields  a  large  change  in  function  output  [39]. 
With  respect  to  a  BF,  the  avalanche  effect  is  present  if,  on  average,  half  of  the  output  bits 
change  when  one  bit  in  the  input  is  complemented  (i.e.,  ©1)  [58]. 

The  strict  avalanche  criteria  (SAC)  is  an  extension  of  the  avalanche  effect,  requiring  that 
“each  output  bit  should  change  with  a  probability  of  one  half  whenever  a  single  output  bit  is 
complemented”  [58].  Formally,  A.  F.  Webster  and  Tavares  defined  SAC  in  a  more  precise 
manner. 

Definition  4.3.3.  Fet  X  and  Xi  be  n-bit  binary  plaintext  vectors,  such  that  X  and  Xi  differ 
in  one  bit,  !</<«,  i.e.,  wt(X  ©A,)  =  1.  Fet  V;  =  T  ©  T,-,  where  Y  =  f{X),Yi  =  f{Xi)  and 
/  is  a  function.  If  /  satisfies  the  SAC,  then  the  probability  that  each  bit  in  Vi  is  equal  to  one 
should  be  one  half  over  the  set  of  all  possible  plaintext  vectors  X  and  A/. 

Kwangjo  Kim  and  others  [49,59,60]  provide  a  more  implementable  definition  of  SAC.  Fet 

(n) 

c\  denote  an  n  dimensional  vector  with  Hamming  weight  one  at  the  i-th  position. 

Definition  4.3.4.  A  function  /  :  — )■  F™  satisfies  the  SAC  if  for  all  i  (I  <  i  <n)  the 

following  equations  hold: 

£  (/W©/(.c©4"M  (4.10) 

Definition  4.3.4  is  the  most  general  definition  for  any  function,  but  since  we  are  mainly 
concerned  with  BFs,  the  codomain  is  just  F2  and  the  right  hand  side  of  the  equation  is  just 
2"^^  Thus,  a  one  bit  change  in  the  2"  input  vectors  results  in  an  output  change  for  2”^^ 
of  those  vectors  (i.e.,  exactly  half).  Example  4.3.5  demonstrates  the  SAC  for  a  BF  on  three 
variables. 

EXAMPLE  4.3.5.  In  this  BF  with  n  =  3,  the  possible  one-bit  changes  are  reflected  to 
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the  right  of  the  original  funetion  output  eolumn.  Note  that  for  each  bit  change,  the  output 
changes  for  exactly  2^  =  4  vectors. 


-^3 

Xl 

/ 

©100 

©010 

©001 

0 

0 

0 

1 

0 

1 

1 

0 

0 

1 

1 

1 

0 

1 

0 

1 

0 

1 

1 

1 

0 

0 

1 

1 

0 

1 

1 

1 

1 

0 

0 

0 

1 

1 

1 

1 

0 

1 

1 

1 

1 

0 

1 

1 

0 

1 

1 

0 

1 

1 

1 

1 

1 

0 

1 

1 

Table  4.7:  A  3- Variable  BF  Satisfying  the  SAC,  after  [39]. 


Another  result  that  follows  from  the  SAC  is  balance  in  the  Hamming  weights  between  the 
contrasting  outputs.  This  result  is  also  from  Webster  and  Tavares  [58],  but  is  formalized  by 
Cusick  and  Stanica  [39]  as  a  lemma. 

Lemma  4.3.6.  A  BF  /  :  — )■  F2  satisfies  the  SAC  iff  the  function  f{x)  ©/(jc©a)  is 

balanced  for  every  a  in  F2  with  Hamming  weight  1. 

As  visualization  of  this  lemma,  refer  back  to  Table  4.7.  Note  that  the  XOR  between  the  / 
column  and  any  of  the  bit  change  columns  is  a  balanced  string.  Although  it  was  developed 
in  1986,  SAC  was  generalized  a  few  years  later. 

In  1990,  Bart  Preneel  et  al.  generalized  SAC  as  propagation  criteria.  A  BF  satisfies  the 
propagation  criteria  of  degree  k,  denoted  as  PC{k),  if  f{x)  changes  with  a  probability 
of  one  half  whenever  /  (1  <  /  <  k)  of  the  n  bits  of  JC  are  complemented  [61].  Given  this 
definition,  SAC  is  equivalent  to  PC(1). 

Just  like  with  SAC,  there  are  alternate  ways  to  present  the  definition  of  PC.  One  such 
definition  relies  on  the  concept  of  a  directional  derivative  of  a  BF.  If  /  is  a  BF  in  n 
variables  and  b  is  any  vector  in  F^,  then  the  derivative  of  f  in  the  direction  of  b  is 
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Dbf{.x)  =  f{x)  ®  f{x®b)  [40].  Hence,  a  BF  f{x)  in  n  variables  satisfies  PC{k)  if  and 
only  if  all  of  the  directional  derivatives  are  balanced  functions,  i.e.,  for  all  a  G  £  C  F^,  the 
derivative  Daf{x)  =  f{x)®f{x®a)  is  balanced  [39,40]. 

4.3.7  Other  Properties 

There  are  other  criteria  for  BFs  that  are  not  as  prevalent  in  mainstream  literature,  but  have 
gained  notoriety  in  recent  research.  We  start  with  two  properties  that  have  either  already 
been  defined  or  do  not  require  definition.  The  first  of  these  is  the  aforementionied  alge¬ 
braic  degree.  The  algebraic  degree  contributes  to  the  complexity  of  a  BF  and  is  often  a 
factor  in  attacks  on  ciphers;  we  typically  want  to  employ  BFs  with  the  highest  algebraic 
degree  possible.  Algebraic  attacks  are  very  efficient  against  ciphers  employing  low  degree 
polynomials  [42],  and  the  complexity  of  the  differential  attack  of  higher  order  depends  on 
the  highest  degree  of  the  BF  used  in  the  cryptosystem  [45, 62]. 

Just  because  a  BF  has  high  degree,  however,  does  not  make  it  cryptographically  relevant. 
We  saw  in  Subsection  4.3.2  that  via  a  complement  operation,  a  function  was  transformed 
into  a  monomial.  Even  though  this  monomial  might  have  high  algebraic  degree,  it  is  weak 
when  compared  to  a  polynomial  of  same  degree.  Thus,  the  other  property  we  consider 
is  the  number  of  terms  in  the  ANF.  The  BFs  that  were  discussed  in  Subsection  4.3.3  as 
nonlinear  combining  functions  in  stream  based  LFSRs  need  to  have  high  algebraic  degree 
and  many  terms  in  the  ANF  in  order  to  resist  key  stream  generation  by  the  Berlekamp- 
Massey  Algorithm  [45].  The  number  of  terms  in  the  ANF  is  not  a  stand  alone  property 
however.  Along  with  the  same  reasoning  just  presented,  a  BF  with  many  terms  could 
have  an  affine  equivalent  function  under  a  transformation.  Thus,  this  property  needs  to  be 
considered  with  other  properties,  such  as  affine  invariance,  algebraic  degree,  etc. 

Motivated  by  the  work  of  Meier  and  Staffelbach  [51],  Carlet  introduced  a  new  property  with 
respect  to  the  number  of  terms  in  the  ANF,  i.e.,  an  affine  invariant  parameter.  Carlet  called 
this  property  the  algebraic  thickness  of  a  BF.  The  algebraic  thickness,  denoted  by  ^(/), 
is  defined  to  be  the  minimum  number  of  terms  in  the  ANF  of  the  set  of  functions  f  o  A, 
where  A  is  the  general  affine  group,  and  A  ranges  over  the  set  of  all  affine  automorphisms 
of  F2  [45, 63, 64].  As  Carlet  points  out,  we  would  like  to  work  with  BFs  having  the  highest 
possible  algebraic  thickness,  but  “classical  BFs  have  small  algebraic  thickness”  [45].  Carlet 
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is  not  explicit  in  what  he  denotes  as  classic,  though  one  can  infer  that  he  means  those  BFs 
we  are  most  interested  in  with  respect  to  cryptographic  applications.  The  algebraic  thick¬ 
ness  is  bounded  by  the  number  of  variables  in  the  polynomial,  i.e.,  2”,  but  it  is  unproven 
that  there  exist  functions  /  for  which  ^(/)  >  [45]. 

There  are  still  other  parameters  that  exist  for  which  the  interested  reader  should  consult 
the  references.  One  such  example  is  the  global  avalanche  criteria  (GAC)  as  presented 
by  Xian-Mo  Zhang  and  Yuliang  Zheng  [65].  Both  SAC  and  PC  are  known  to  be  local 
characteristics  of  a  function,  namely  that  they  guarantee  avalanche  features  for  vectors  of 
Hamming  weight  either  1  or  up  to  k.  SAC  and  PC  are  restrictive,  however,  because  they  can 
admit  functions  having  a  large  Hamming  weight  with  vectors  as  linear  structures.  SAC  also 
requires  that  f{x)  ©/(jc©a)  is  balanced,  which  rules  out  bent  functions  (see  next  section). 
Other  properties  include  maximum  correlation  [40,66],  nonhomomorphicity  [40,67],  and 
non-k-normality  [40]. 


4.4  Bent  Boolean  Functions 

We  have  mentioned  bent  functions  several  times,  and  now  a  short  background  is  presented. 
Since  bent  BFs  are  not  the  focus  of  this  thesis,  the  reader  should  consult  the  works  of  John 
Dillon,  Oscar  Rothaus,  Robert  McFarland,  W.  Meier,  and  others  [39,51,68-70]  for  more 
on  this  subject. 

Bent  BFs  are  desirable  in  cryptography  because  they  achieve  the  maximum  nonlinearity  for 
a  BF,  but  they  are  difficult  to  implement.  One  such  reason  was  mentioned  in  the  previous 
section — ^bent  functions  have  desirable  properties,  but  they  are  not  balanced,  and  we  want 
balanced  functions  as  S-Boxes. 

Definition  4.4.1.  A  BF  /  on  is  called  bent  if  its  Hamming  distance  to  the  set  of  all  n- 
variable  affine  functions  equals  2”^^  —  22“^  In  other  words,  a  bent  function  achieves  the 
maximum  possible  nonlinearity,  .Ay,  for  any  BF  in  n  variables.  Furthermore,  this  distance 
is  only  achieved  when  n  is  even  [40,45]. 


As  a  result  of  the  definition,  bent  functions  also  achieve  many  other  characteristics.  If  an 
n-variable  BF  is  bent  with  n  even,  then  it  satisfies  PC{n)  [39,40].  Meier  and  Staffelbach’s 
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perfect  nonlinear  functions  are  essentially  an  analagous  form  of  bent  funetions  [51].  There 
is  also  a  definition  of  bent  funetions  that  uses  the  Walsh  transform  (see  next  seetion). 

Although  it  seems  that  bent  funetions  are  desirable  and  we  should  be  using  them,  the  mys¬ 
tery  surrounding  them  lies  in  eonstruetion.  We  know  the  total  number  of  bent  funetions  for 
n  =  2,4, 6, 8  variables,  but  we  do  not  know  the  total  for  n  >  10.  Thus,  we  have  no  means  to 
eharaeterize  or  elassify  this  set  of  bent  funetions  under  the  general  affine  group  [40].  The 
main  diffieulty  here  lies  in  the  spaee  of  possible  bent  funetions.  For  n  =  2,  there  are  16 
possible  BFs  and  eight  total  bent  funetions.  Remarkably,  for  n  =  8,  there  are  2^^^  BFs  and 
approximately  total  bent  funetions  [39,71]. 

4.5  Walsh  Transform 

Most  readers  are  familiar  with  the  eoneept  of  a  mathematieal  transform.  A  transform  is  a 
relation  that  takes  a  funetion  in  one  domain  or  basis  and  transforms  it  into  a  funetion  in 
another  domain  or  basis.  A  elassie  example  of  this  is  the  Laplace  Transform,  whieh  takes  a 
funetion  f{t)  and  outputs  a  new  funetion  7^(5).  We  now  examine  another  famous  transform, 
the  Fourier  Transform,  whieh  allows  a  transfer  between  the  time  (or  spatial)  domain  and 
the  frequeney  domain. 

The  Fourier  Transform  has  many  applieations,  some  of  whieh  inelude  aeousties,  digital 
signal  proeessing,  physies,  engineering,  and  image  proeessing.  It  is  essentially  an  extension 
of  the  Fourier  series,  in  whieh  periodie  behavior  is  modeled  by  an  infinite  sum  of  sines  and 
eosines.  We  are  interested  in  the  non-eontinuous  version  of  the  Fourier  Transform  ealled 
the  discrete  Fourier  Transform  (DFT).  In  the  DFT,  the  funetion  used  as  the  input  is  diserete 
and  its  values  are  given  over  a  finite  interval.  This  transform  is  also  invertible  so  that  we 
ean  move  baek  and  forth  between  bases. 

With  regard  to  BFs,  the  DFT  is  an  invertible  mapping  of  the  funetion  values  onto  a  set  of 
eoeffieients,  ealled  Fourier  eoeffieients  [72].  Knowledge  of  the  Fourier  eoeffieients  gives 
information  about  the  function,  such  as  computational  complexity  and  other  properties  of 
BFs.  In  particular,  the  DFT  of  a  function  gives  the  weights  of  all  functions  of  the  form 
f®i,  where  £  is  affine  [40].  The  DFT  of  BFs  is  also  called  the  Walsh  Transform  (WT). 

Recall  from  linear  algebra  that  a  basis  for  a  vector  space  is  a  set  of  linearly  independent 
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vectors  that  can  span  that  space,  i.e.,  every  vector  in  the  vector  space  can  be  represented 
by  a  linear  combination  of  the  basis  vectors.  By  doing  so,  we  find  the  coordinates  of  every 
point  in  the  space  with  respect  to  that  basis.  This  can  be  difficult  if  the  basis  vectors  are  not 
orthogonal.  If  we  can  find  an  orthogonal  basis  for  the  vector  space,  then  we  can  define  an 
inner  (dot)  product  and  expressing  all  vectors  in  the  vector  space  is  much  easier. 

In  the  most  general  sense,  a  BF  is  a  0-1  valued  real  function  defined  on  {0, 1}",  i.e.,  /  : 
F2  — )■  M.  If  we  restrict  the  codomain  of  /  to  only  the  two-valued  functions  on  this  domain, 
then  we  consider  /  :  F2  — )■  F2.  The  domain  of  the  space  of  all  these  functions  is  an  Abelian 
group,  for  which  we  define  a  group  character,  Qw{x)  —  (  —  1)^**'  '*^.  The  notation  <  w  -  x  > 
is  the  inner  (dot)  product  on  vectors  over  F2,  wixi  ©  W2X2  ©  •  •  •  ©  The  set  of  functions 
{Qw  :  w  G  F2}  forms  an  orthogonal  basis  for  the  vector  space  F2  [72].  The  WT  then  defines 
the  coefficients  of  the  BF  /  with  respect  to  this  orthogonal  basis. 

Definition  4.5.1.  [39,73]  If  /  is  any  real- valued  function  on  F^,  i.e.,  /  :  F2  — )■  M,  then  the 
Walsh  Transform  (WT)^  of  /  on  a  vector  w  is  defined  by 

F{w)  =  W{f){w)=  ^  /(x)-(-l)<'^->,  (4.11) 

where  w  G  F2  and  <  w  ■  x  >=  wixi  ©  W2X2  ©  •  •  •  ©  w„x„  over  F2.  The  function  /  can  be 
recovered  from  F(w)  by  the  inverse  Walsh  Transform 

/(jc)  =  W  =  2^"  L  (4-12) 

Of  course,  the  BF  /  takes  on  the  real  values  {0,1},  but  sometimes  it  is  easier  to  work  with 
BFs  that  take  on  values  in  the  range  {—1,1}.  This  alternate  group  of  functions  will  be 
denoted  by  /.  The  function  /  is  related  to  the  function  /  in  the  following  manner 

/(x)  =  (-l)^W  or  /(x)  =  1  -  2/(x).  (4.13) 


^We  acknowledge  that  the  nomenclature  within  the  Walsh  Transform  is  varied.  Some  sources  call 
this  definition  the  Hadamard  Transform,  the  discrete  Fourier-Walsh-Hadamard  Transform,  or  the  Walsh- 
Hadamard  Transform.  Unfortunately,  there  is  no  standard  definition,  but  the  notation  presented  here  is 
adopted  from  [39,73]. 
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The  function  on  the  left  in  Equation  4. 13  is  often  referred  to  as  the  sign  function,  for  which 
the  WT  also  exists.  This  transform,  however,  we  will  call  the  Walsh-Hadamard  Transform 
(WHT). 

Definition  4.5.2.  The  Walsh-Hadamard  Transform  of  /  is  given  by 

F{w)  =  W{f){w)  =  Y,  (-l)/W®<“'-^>.  (4.14) 

In  the  same  way  that  /  and  /  are  related,  there  is  also  a  relationship  between  the  WT  and 
the  WHT.  This  is  a  rather  important  relationship,  thus  it  is  stated  as  a  lemma.  The  simple 
proof  is  omitted,  but  is  available  in  [39] . 

Lemma  4.5.3.  If  f{x)  =  then 

F(w)  = -2E(w)  +  2"5(w),  (4.15) 


or 


F{w)  =  T-^d{w)-^F{w),  (4.16) 

where  d  (w)  is  the  Kronecker  delta  function  (sometimes  called  the  Dirac  symbol)  defined 
as 

f  1 ,  if  w  =  0 
5{w)  =  { 

I  0,  otherwise. 

Equations  4.11  and  4.14  each  yield  a  vector  of  Eourier  coefficients  as  w  varies,  also  known 
as  Walsh  coefficients.  These  lists  of  2”  coefficients  are  called  the  Walsh  spectrum  of  /  and 
the  Walsh-Hadamard  spectrum  of  /,  respectively  [39].  Eor  general  purposes,  we  refer  to 
either  list  as  the  Walsh  spectrum  of  a  BE,  although  context  should  be  clear  upon  which 
version  is  presented.  The  Walsh  spectrum  is  another  unique  representation  of  a  BE  and  is 
often  used  as  a  means  to  explicitly  define  certain  cryptographic  properties  on  a  function. 
We  will  return  to  this  notion  shortly,  but  first  we  present  an  example  of  the  WT. 
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EXAMPLE  4.5.4.  Both  the  WT  and  WHT  involve  sums  over  the  entire  vector  space  F^. 
Thus,  by-hand  calculations  are  rarely  practical.  Consider  the  BF  defined  as  /  :  F2  — )■  F2, 
with  ANF  given  by  1  ©  jci  ©.^2-  The  truth  table  representation  is  given  in  Table  4.8. 


-^1 

/ 

0 

0 

1 

0 

1 

0 

1 

0 

0 

1 

1 

1 

Table  4.8:  Truth  Table  Representation  for  1  ©jci  ©  JC2. 


WT 

F(h.)  =  H'(/)(w)=  £  /(a:).(-1)<“-'> 

xeF^ 

F(00)  =  l(-l)®  +  0  +  0+l(-l)°  =  2 
F(01)  =  l(-l)®  +  0  +  0+l(-l)^  =0 
F(10)  =  l(-l)®  +  0  +  0+l(-l)^  =0 
F(ll)  =  l(-l)®  +  0  +  0+l(-l)^  =  2 

Walsh  spectrum  =  (2,0,0, 2) 

WHT 

F(w)  =  W(/)(w)  =  £  (_i)/W©<vt'-x> 

xeF" 

F(00)  =  (-i)i®o  +  (_i)0®o^  ('_l)0©o ^  ('_i)i®o  ^  Q 
F(01)  =  (-1)1 +  (-1)1 +  (-1)0  + (-1)0  =  0 
F(10)  =  (-1)1 +  (-1)0 +  (-1)1 +  (-1)0  =  0 
F(ll)  =  (-l)i  +  (-l)i  +  (-l)i  +  (-l)i  =  -4 

Walsh-Hadamard  spectrum  =  (0,0,0,-4) 
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The  reader  can  easily  verify  the  relation  between  the  two  spectra  using  Equation  4.15  and 
that  the  truth  table  output  can  be  recovered  by  the  inverse  in  Equation  4.12.  Note  that  the 
Kronecker  delta  function  is  only  equal  to  one  when  w  is  the  zero  vector. 

Since  the  WT  operates  as  a  DET,  the  classical  method  of  solving  for  the  Eourier  coefficients 
is  not  an  integral  problem  but  rather  a  matrix  problem.  Thus,  the  Walsh  spectrum  can  also 
be  found  by  means  of  Hadamard  matrices.  Hadamard  matrices  are  recursively  constructed 
and  consist  of  ±ls.  Eormally  [39],  a  Hadamard  matrix  H  of  order  n  is  an  n  x  n  matrix 
of  ±ls  such  that  HH^  =  nl„,  where  is  the  transpose  of  H  and  In  is  the  nxn  identity 
matrix.  The  recursion  is  given  as 

r  n  111  fe-1  Hn-l 

//o=[l];  Hi=  ,  and  Hn=  J  ^  .  (4.17) 

1  —  IJ  [Hn-l  —Hn  I 

Thus,  H2  is  constructed  in  typical  block  matrix  style  as 

’1  1  1  1  ' 

1-11-1 
1  1  -1  -1  ■ 

1-1-1  1 

Therefore,  expressed  as  a  matrix  product,  the  WT  is  given  by  [46, 61] 

[F]=Hn-[f],  (4.18) 

where  [E]  is  a  column  vector  of  the  Walsh  spectrum  values  and  [/]  is  a  column  vector  of  the 
function  values.  Returning  to  Example  4.5.4,  we  can  compute  the  Walsh  spectrum  using 
the  Hadamard  matrix,  but  again  note  for  large  values  of  n,  computations  by-hand  become 
impractical  quickly. 


Similarly,  the  WHT  can  be  expressed  in  terms  of  the  Hadamard  matrix  as  [F]  =//„■[(  —  1  )-^] , 
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where  [F]  is  a  eolumn  veetor  of  the  Walsh-Hadamard  speetrum  and  [(— 1)-^]  is  a  eolumn 
veetor  of  negative  ones  raised  to  the  funetion  values  [46] . 


We  now  return  to  the  eoneept  alluded  to  in  the  previous  seetion  eoneerning  the  WT  and 
eryptographie  properties  of  BFs.  There  are  a  number  of  properties  related  to  the  WTAVHT, 
namely  beeause  the  transform  is  a  linear  mapping  and  provides  information  on  nonlinear¬ 
ity  [46,72].  We  must  be  eareful  to  define  whieh  transform  is  being  used  though,  whieh 
should  be  elear  in  the  notation.  Other  properties,  sueh  as  SAC  and  PC,  are  related  to  the 
autocorrelation  function,  whieh  we  do  not  diseuss  here  but  ean  be  found  in  [39]. 

Balance:  [46]  A  BF  is  balaneed  if  F{Qi)  =  0.  This  feature  is  observed  in  Example  4.5.4. 

Nonlinearity:  The  nonlinearity  of  /  is  determined  by  the  WHT  of  /  [39],  that  is, 

,A4  =  2"-i-^max|F(M)L  (4.19) 

^  2«eF«'  ^ 

where  the  bars  represent  absolute  value.  The  funetion  in  Example  4.5.4  has  nonlinearity 
zero  sinee  2^  —  ^(4)  =  0. 

Correlation  Immunity:  [39]  A  BE  is  eorrelation  immune  of  order  k,\  <k<n,\i  and  only 
if  E(w)  =  0  for  1  <  wt{w)  <  k.  The  funetion  in  Example  4.5.4  is  eorrelation  immune  of 
order  one  sinee  both  E(01)  =  0  and  F'(IO)  =  0. 

Resiliency:  [46]  Since  resiliency  also  includes  correlation  immunity,  the  same  stipulations 
on  the  WHT  apply  here.  Thus,  the  resiliency  for  the  function  in  Example  4.5.4  is  also  one. 

Bent  BFs:  A  BE  in  n  variables  is  bent  if  and  only  if  F{u)  =  ±2"/^  for  all  m  G  [51, 68]. 
The  function  f{x)  =  xiX2  on  is  bent  since  the  Walsh-Hadamard  spectrum  is  |E(m)|  = 
ffji  _  ^2^  2, 2,  —2).  Another  version  of  Fourier  spectrum  is  the  energy  spectrum.  The  energy 
spectrum  is  defined  as  the  square  modulus  of  the  Fourier  transform  [61],  i.e.,  F^.  In  this 
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manner,  all  coefficients  are  positive  constants.  With  respect  to  the  energy  spectrum  of  a 
BF,  we  often  characterize  a  bent  function  as  having  a  flat  spectrum. 


4.6  Vectorial  Boolean  Functions 

Recall  that  an  S-Box  is  a  mapping  or  substitution  from  an  m-bit  input  to  an  n-bit  output, 
where  m  and  n  need  not  be  equal.  Over  the  binary  field,  this  is  represented  by  /  :  F™  — »  F^. 
These  functions  are  also  called  (m,n) -functions,  multi-output  BFs,  vectorial  BFs,  and 
S-Boxes  [48].  Vectorial  BFs  employed  in  iterative  block  ciphers  are  used  to  provide  confu¬ 
sion  in  the  algorithm.  Much  work  in  the  area  of  vectorial  BFs  for  cryptography  has  been 
done  by  Carlet  [40,48]. 

Given  that  m  and  n  are  positive  integers,  if  a  function  F  exists  as  an  (m,n) -function,  then 
the  BFs  /i,/2, . . . ,/„  defined  at  every  jc  G  F™  by  F(jc)  =  (/i(x), . . . ,/„(x))  are  called  the 
coordinate  functions  of  F  [48].  In  the  case  of  DBS,  each  of  the  eight  S-Boxes  are  functions 
/  :  F2  — )■  F2.  Within  each  S-Box,  we  treat  the  four  rows  as  coordinate  functions.  Thus, 
for  any  S-Box,  there  exists  F{x)  =  (/i(x),/2(x),/3(x),/4(x)),  where  each  f  is  a  mapping 
from  F2  to  F2.  Our  aim  in  this  thesis  is  to  examine  the  coordinate  functions  of  the  S-Boxes. 

There  has  been  extensive  research  on  the  construction  of  cryptographically  good  S-Boxes. 
The  DBS  creators  stated  that  the  boxes  were  built  to  resist  a  differential  attack.  One  such 
method  for  doing  so  requires  that  the  output  of  an  (m,n) -function  F  to  its  derivatives 
Da{x)  =  F{x)-\-F {x Fa)  must  be  distributed  as  uniformly  as  possible  [48].  There  is  also  a 
method  for  designing  against  Matsui’s  linear  attack,  which  deals  with  linear  combinations 
of  the  coordinate  functions  [48]. 

The  DBS  S-Boxes  have  received  much  attention  over  the  years.  Webster,  Tavares,  and 
Adams,  while  writing  in  terms  of  generic  S-Boxes,  have  always  used  DBS  as  influence 
in  their  analysis.  Bor  example,  in  [58],  the  authors  show  that  the  set  of  DBS  S-Boxes  do 
not  satisfy  the  SAC;  the  probability  that  an  output  bit  will  change  when  a  single  input 
bit  is  complemented  varies  from  0.43  to  0.93.  Granted,  SAC  did  not  exist  at  the  time 
when  IBM  created  DBS.  S-Box  construction  has  also  been  studied  from  the  viewpoints  of 
random  generation  versus  systematic  design.  While  random  generation  is  often  effective, 
the  design  criteria  mentioned  by  Adams  and  Tavares  [50]  is  worth  noting. 
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According  to  Adams  and  Tavares,  an  S-Box  must  satisfy  the  following  criteria  to  be  “cryp¬ 
tographically  desirable”: 

1.  bijection; 

2.  nonlinearity; 

3.  strict  avalanche; 

4.  independence  of  output  bits. 

Property  (1)  observes  that  a  2"  x  n  S-Box  is  bijective,  i.e.,  invertible  (which  may  or  may 
not  be  necessary).  In  doing  so,  the  input  vectors  map  to  distinct  output  vectors  and  the 
output  vectors  appear  only  once  per  stage.  Property  (2)  is  obvious,  but  in  order  to  ensure 
nonlinearity  at  both  the  bit  level  and  integer  level,  the  S-Box  must  utilize  n  nonlinear  BFs. 
As  a  consequence  of  Property  (1),  Property  (2)  is  typically  achieved  in  the  inverse  S-Box. 
Property  (3)  was  introduced  in  [58],  but  an  S-Box  as  a  whole  possesses  the  SAC  if  it  has 
Properties  (1)  and  (4),  and  all  n  BFs  fulfill  the  SAC.  To  show  this,  Adams  and  Tavares 
used  Forre’s  method  of  construction  for  SAC-fulfilling  BFs  [73].  Property  (4)  is  intended 
to  resist  certain  correlation  attacks.  Others  such  as  K.  Kim  have  done  more  recent  research 
into  the  construction  of  good  S-Boxes;  for  a  survey  of  these  techniques,  consult  [47,49,59, 
60]. 
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CHAPTER  5: 
Basic  Graph  Theory 


Graph  theory  is  the  study  of  graphs,  but  not  the  typical  function  graph  depicted  on  say  the 
x  —  y  plane.  Instead,  graph  theory  examines  the  relations  between  objects,  be  them  people, 
places,  devices,  molecules,  etc.  Since  the  field  implicates  models  of  everyday  life,  some 
refer  to  graphs  as  networks.  Most  scholars  date  the  origin  of  graph  theory  to  the  famous 
Konigsberg  bridge  problem  solved  by  Euler  in  1736.  While  it  is  a  fairly  old  discipline, 
tremendous  advances  in  graph  theory,  especially  regarding  networks,  have  spumed  interest 
in  the  field  within  the  last  century.  There  are  many  terms  within  graph  theory  that  are  not 
defined  here,  but  the  reader  can  consult  a  standard  graph  theory  text  such  as  [74]  for  more 
insight. 


5.1  Definitions 

A  graph  is  a  collection  of  objects  called  vertices  and  the  relations  between  them  called 
edges.  Sometimes,  vertices  are  also  called  nodes  while  edges  are  also  called  arcs. 

Definition  5.1.1.  [74]  A  graph  G  is  an  ordered  pair  iy,E),  where  V  is  the  finite  set  of 
vertices  of  G  and  E  is  the  set  of  two-element  subsets  of  V  called  edges.  V  is  called  the 
vertex  set  of  G  and  E  is  called  the  edge  set  of  G.  The  cardinality  of  V  is  called  the  order 
of  the  graph  G,  denoted  by  n. 


A  graph  can  be  uniquely  represented  by  the  ordered  pair  (V,E)  or  by  a  pictorial  model. 
Consider  Example  5.1.2  where  this  is  depicted. 

EXAMPLE  5.1.2.  In  Eigure  5.1,  G  is  given  by  {y,E),  where  V  =  {vi,V2, V3, V4,V5}  and 

E  =  |{V1,V2},{V2,V3},{V3,V4},{V4,V5},{V1,V5},{V1,V3},{V1,V4}|.  Ordinarily,  we  omit 
the  set  notation  on  the  vertex  pairs,  so  E  can  be  written  as 

E  =  {viV2,  V2V3,  V3V4,  V4V5,  V1V5,  V1V3,  V1V4}.  This  graph  is  undirected,  in  that  there  is  no 
orientation  on  the  edges.  This  graph  is  also  simple  because  there  are  no  loops  or  multiple 
edges. 
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Figure  5.1:  A  Graph  G  on  n  =  5  Vertices. 


Note  in  Example  5.1.2  that  if  the  edge  v,v;  is  in  the  edge  set  of  G,  then  it  appears  as  a 
line  segment  (or  curve)  connecting  vertex  v,  with  vertex  Vj.  If  the  edge  viVj  exists,  i.e., 
ViVj  G  £’(G),  then  we  say  that  v,  and  Vj  are  adjacent.  If  v,  and  Vj  are  adjacent,  then  they 
are  also  referred  to  as  neighbors.  If  an  edge  e  joins  vertices  v,  and  vj,  then  we  say  that  e  is 
incident  with  v,-  (as  well  as  v^). 

Some  graphs  allow  for  multiple  connections  between  two  vertices.  For  example,  an  airline 
might  plan  several  routes  between  Detroit  and  San  Francisco,  depending  on  weather,  traffic, 
or  other  variables.  In  this  case,  the  airline  route  graph  can  depict  multiple  routes,  which  we 
call  a  multigraph.  If  an  edge  is  also  permitted  to  join  a  vertex  to  itself,  then  this  graph  is 
called  a  pseudograph.  Figure  5.2  depicts  these  types  of  graphs. 


Figure  5.2:  Multigraph  and  Pseudograph,  Respectively. 
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A  multigraph  contains  at  least  one  pair  of  distinet  vertiees  that  are  joined  by  multiple  (par¬ 
allel)  edges.  Multigraphs  do  not  permit  loops.  A  pseudograph  permits  multiple  edges 
and  loops,  but  does  not  neeessarily  eontain  multiple  edges.  In  this  thesis  we  will  eonsider 
simple  graphs  and  pseudographs. 

The  degree  of  a  vertex  ean  be  defined  in  two  synonymous  ways.  The  degree  of  v  G  V  (G) 
is  equal  to  the  number  of  edges  ineident  with  v.  We  also  have  that  the  degree  of  v  G  V (G) 
is  the  number  of  vertiees  adjaeent  to  v  [74].  The  degrees  of  the  vertiees  within  the  graphs 
of  Figure  5.2  ean  be  represented  as  sequenees:  (3, 3, 3, 5)  and  (3, 3, 4, 4, 4)^,  respeetively. 
There  are  various  rules,  theorems,  and  bounds  pertaining  to  vertex  degree,  but  again  we 
assume  that  the  reader  has  knowledge  of  these  or  ean  eonsult  a  standard  referenee. 

Additionally,  a  graph  G  is  regular  if  all  vertiees  of  G  have  the  same  degree.  A  graph  G  is 
r-regular  if  deg{v)  =  r  for  all  v  G  V (G). 

5.2  Matrix  Representations 

A  graph  ean  also  be  represented  by  a  matrix  deseribing  the  relations  on  vertiees  and  edges. 
The  most  widely  used  matrix  to  deseribe  a  graph  is  the  adjacency  matrix.  Like  the  name 
implies,  the  adjaeeney  matrix  displays  the  vertex  adjaeeneies  of  the  edge  set  of  G  (as  well 
as  the  non- adjaeeneies). 

Definition  5.2.1.  [74]  Assume  that  G  is  a  simple,  undirected  graph  of  order  n  with  vertex 
set  {vi,  V2, . . .  ,v„}.  The  adjacency  matrix  of  G  is  the  n  x  n  matrix  A  =  [a, y],  whose  entries 
aij  are  given  by 

fl,  ifviVjeE{G) 

aij  =  ( 

I  0,  otherwise. 

Figure  5.3  illustrates  the  eoneept  of  an  adjaeeney  matrix.  The  labeling  of  vertiees  outside 
the  adjaeeney  matrix  is  not  a  eommon  praetiee,  but  this  is  displayed  for  the  benefit  of  the 
reader. 


^Note  that  for  the  loop,  we  counted  the  degree  twice  for  the  loop.  While  some  graph  theorists  and  authors 
only  consider  a  loop  to  contribute  one  towards  the  vertex  degree,  the  majority  of  texts  double  count  the  degree 
for  a  loop. 
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A  = 


a 

b 

c 

d 

I 

m 


a  b  c 
/O  1  0 
1  0  1 
0  1  0 
0  1  1 
0  0  1 
yl  1  1 


Figure  5.3:  A  Graph  and  Its  Associated  Symmetric  Adjacency 


dim 
0  0  1  \ 
1  0  1 
1  1  1 
0  1  0 
1  0  1 
0  1  Oy 


Matrix. 


There  are  a  couple  of  observations  [75,76]  to  make  with  respect  to  the  adjacency  matrix 
for  a  simple,  undirected  graph. 

i)  A  is  a  real  and  symmetric  matrix; 

ii)  The  row  sums  for  each  i  of  A  equal  the  degree  of  each  vg 

iii)  The  diagonal  entries  of  A  are  zero; 

n 

iv)  The  trace  of  A  is  zero,  i.e.,  tr{A)  =  £  an  =  0; 

i=l 

v)  There  is  a  one-to-one  correspondence  between  the  graph  G  and  its  associated  adjacency 

matrix  A  (up  to  isomorphism  and  rearrangement  of  vertices  in  A); 

vi)  A  is  not  unique,  since  we  can  reorder  the  vertices  and  arrive  at  a  different  representation. 

Adjacency  matrices  for  multigraphs  are  formed  in  a  similar  manner,  in  that  the  entry  atj  is 
the  number  of  edges  vetween  Vi  and  vj.  In  a  pseudograph,  however,  we  must  now  account 
for  loops  which  implies  nonzero  entries  on  the  diagonal.  Unfortunately,  there  is  no  standard 
method  to  handle  the  entry  an  in  the  adjacency  matrix  of  a  pseudograph.  Some  propose 
that  a  loop  should  be  given  a  weight  of  two  (i.e.,  the  entry  an  is  twice  the  number  of  loops 
attached  to  the  vertex  v/  [77]).  This  vertex-centric  approach  allows  the  adjacency  matrix  to 
hold  the  properties  of  row  sums  equaling  the  degree  as  well  as  the  First  Theorem  of  Graph 
Theory.^  Others  model  a  loop  should  be  given  a  weight  of  one,  which  leans  toward  an 
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edge-centric  approach  [78].  For  this  thesis,  we  use  the  latter  approach,  the  reasons  for 
which  will  become  apparent  in  Section  5.4.  Consider  Figure  5.4  as  an  example  of  our 
approach  to  pseudographs. 


a  b  c  d  I  m 
a  /O  1  0  0  0  1  \ 


A  = 


b 
c 
d 
I 

m  y 


10  110  1 
0  10  111 
0  11110 
0  0  111  1 
1110  10 


Figure  5.4:  A  Pseudograph  and  Its  Associated  Adjacency  Matrix. 


The  most  common  approach  to  multigraphs  and  pseudographs  is  to  consider  them  as 
weighted  graphs.  In  this  respect,  we  assign  each  edge  a  weight.  If  an  edge  is  not  present, 
it  has  a  weight  of  zero.  Thus,  this  allows  all  graphs  to  be  treated  as  weighted  graphs, 
with  an  assigned  weight  function  satisfying  IT  :  V  x  V  — )■  M,  with  w{ij)  =  w{j,i)  and 
w{i,  j)  >  0  [79].  The  weight  function  IT  also  has  the  properties  that  w(/,  j)  >  0  if  and  only 
if  zy  G  £’(G).  With  this  application,  a  simple,  undirected,  and  unweighted  graph  is  a  special 
case  where  the  weights  are  either  one  or  zero.  Therefore,  we  use  the  terms  adjacency  ma¬ 
trix  and  matrix  of  weights  interchangeably.  This  weighting  does  allow  for  the  possibility 
of  an  adjacency  matrix  that  is  not  in  the  traditional  0-1  format,  but  given  our  approach  in 
Figure  5.4  we  will  not  consider  this. 

Another  matrix  representation  for  a  graph  is  the  Laplacian.  The  Laplacian  matrix  has  a  long 
history  dating  back  to  German  physicist  Gustav  Kirchhoff.  In  1847,  Kirchhoff  developed 
the  basis  for  the  matrix-tree  theorem  (see  [74]),  which  uses  the  Laplacian  matrix  in  its 
construction.  Therefore,  the  Laplacian  is  also  referred  to  as  the  Kirchhoff  matrix  [80]. 

^The  First  Theorem  of  Graph  Theory  states  that  the  sum  of  the  degrees  in  a  graph  G  is  equal  to  twice  the 
number  of  edges  in  G. 
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Definition  5.2.2.  [79, 80]  Let  G  be  a  graph,  possibly  weighted,  of  order  n.  The  Laplacian 
matrix  of  G  is  the  nx  n  matrix  L  =  [L,  j],  whose  entries  Lij  are  given  by 

L=D-A, 


where  D  is  the  diagonal  matrix  indexed  by  V (G),  with  /,  y  G  V (G),  deg{i)  =  d(i)  =  'Laij  = 

i 

j)  and  A  is  the  adjacency  matrix.  In  an  equivalent  fashion, 

i 


d(i)  —  w(/,  /),  if  i  =  j 


0,  otherwise. 


Unfortunately,  the  Laplacian  does  not  have  a  one-to-one  correspondence  with  a  graph  G. 
It  is  mainly  used  to  deduce  properties  of  the  (possibly  unknown)  graph.  However,  it  is  a 
real  symmetric  matrix,  and  in  fact  the  Laplacian  is  a  positive  semidefinite,  singular  matrix. 
Consider  Example  5.2.3  in  which  the  Laplacian  is  computed  for  the  graph  in  Figure  5.4. 


EXAMPLE  5.2.3. 
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There  are  still  other  matrices  that  can  be  used  to  represent  a  graph  such  as  the  incidence  ma¬ 
trix,  distance  matrix,  normalized  Laplacian,  signless  normalized  Laplacian,  and  signless 
Laplacian.  However,  these  matrices  are  not  the  focus  of  this  thesis. 
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5.3  Spectral  Graph  Theory 

The  field  of  linear  algebra  is  rich  with  techniques  for  examining  structural  properties  of 
matrices.  With  the  ability  to  represent  a  graph  by  a  matrix,  these  techniques  now  become 
available  to  the  user.  This  field  is  known  as  algebraic  graph  theory,  in  which  we  attempt  to 
determine  properties  of  graphs  using  algebraic  properties  of  the  matrices  representing  them 
[81,  82].  Spectral  graph  theory  is  a  subfield  of  algebraic  graph  theory  which  specifically 
aims  to  examine  graph  properties  using  the  spectrum  of  a  graph’s  associated  matrix.  The 
classic  references  on  this  subject  are  found  in  the  works  of  Biggs  [76],  Cvetkovrc  et  al.  [77], 
and  Chung  [79].  The  importance  of  spectral  graph  theory  can  be  observed  in  the  following 
quotations. 

Just  as  astronomers  study  stellar  spectra  to  determine  the  make-up  of  distant 
stars,  one  of  the  main  goals  in  graph  theory  is  to  deduce  the  principal  properties 
and  structure  of  a  graph  from  its  graph  spectrum.  The  spectral  approach  for 
general  graphs  is  a  step  in  this  direction.  There  is  no  question  that  eigenvalues 
play  a  central  role  in  our  fundamental  understanding  of  graphs.  [79] 

Spectral  graph  theory  is  a  useful  subject.  The  founders  of  Google  computed  the 
Perron-Frobenius  eigenvector  of  the  web  graph  and  became  billionaires.  [81] 


5.3.1  Definitions 

Definition  5.3.1.  [76,  81]  The  (ordinary)  spectrum  of  a  finite  graph  G  of  order  n  is  the 
spectrum  of  the  adjacency  matrix  A(G),  that  is  the  set  of  n  eigenvalues  of  A(G)  together 
with  their  (algebraic)  multiplicities.  If  the  distinct  eigenvalues  of  A(G)  are  Ai  <  A2  <  ■  ■  ■  < 
and  their  multiplicities  are  m(Ai) ,  m(A2) , . . . ,  ni(A„),  then  we  shall  write 


Spec  G  = 


A2 

m(A2) 


Similarly,  the  Laplace  spectrum  of  a  finite  graph  G  is  the  spectrum  of  the  Laplacian  matrix 
L  [81].  Note  that  Definition  5.3.1  does  not  include  the  corresponding  eigenvectors.  This  is 
mainly  due  to  the  fact  that  eigenvectors  are  not  unique,  and  that  for  a  given  eigenvalue  A, 
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any  scalar  multiple  of  a  nonzero  vector  jc  satisfies  the  eigenvalue  problem:  Ax  =  Ajc.  There 
are  certain  graph  properties  that  do  account  for  eigenvectors,  but  in  general  we  will  not  be 
concerned  with  them  here. 

Recall  that  to  find  the  n  eigenvalues  of  an  n  x  n  matrix  A,  we  must  find  the  n  roots  of 
the  characteristic  polynomial  p(A)  =  det(A  —  A/).  Since  the  adjacency  matrix  A  is  real 
and  symmetric,  its  eigenvalues  are  also  real  numbers.  Likewise,  since  the  Laplacian  L  is 
positive  semidefinite,  its  eigenvalues  are  all  nonnegative  (i.e..  A,  >  0  for  all  /  G  { 1 , 2, . . . ,  n}) 
and  a  zero  eigenvalue  is  guaranteed  (since  the  row  sums  are  zero)  [80].  Additionally,  the 
algebraic  and  geometric  multiplicity  of  each  eigenvalue  is  the  same,  hence  multiplicity  is 
used  interchangeably. 

5.3.2  Some  Known  Results 

We  now  present  some  of  the  many  known  results  on  graph  spectra.  Some  of  these  deal  with 
the  adjacency  matrix  and  some  deal  with  the  Laplacian.  From  context  it  should  be  clear 
which  matrix  is  being  used.  Also,  it  should  be  apparent  that  if  A  is  an  eigenvalue  of  the 
adjacency  matrix  A  for  an  r-regular  graph  G,  then  r  —  A  is  an  eigenvalue  of  the  Laplacian  L. 
For  added  clarity,  we  refer  to  the  eigenvalues  of  A  as  Ai ,  A2, . . . ,  A„  and  the  eigenvalues  of  L 
as  /ii ,  /i2, . . . ,  /in.  At  certain  points,  we  refer  to  the  eigenvalues  of  A  or  L  as  the  eigenvalues 
of  G. 

Degree 

If  G  has  maximum  degree  A(G),  then  |A  |  <  A(G)  for  every  eigenvalue  of  G  [83]. 

The  sum  of  the  Laplacian  eigenvalues  is  equal  to  the  degree  sum  of  a  graph  [84],  i.e., 

n  n 

t  IJ-i=  t  d{i). 

i=  1  i=  1 

Regular  Graphs 

An  r-regular  graph  G  has  row  sums  equal  to  r  in  the  adjacency  matrix  of  weights.  The 
following  results  [76, 81, 83]  also  hold: 

1 .  r  is  an  eigenvalue  of  G; 

2.  For  all  eigenvalues  A  of  G,  we  have  |  A  |  <  r; 

3.  If  r  is  an  eigenvalue,  then  the  all-1  vector  is  an  eigenvector  of  G. 
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Connectedness 

A  graph  G  is  connected  if  every  pair  of  vertiees  of  G  is  eonneeted,  i.e.,  there  is  a  path 
between  every  two  vertiees  of  G.  Au  —  v  path  in  a  graph  is  a  sequence  of  vertices  beginning 
with  u  and  ending  at  v  such  that  consecutive  vertices  in  the  sequence  are  adjacent,  with  the 
additional  restriction  that  no  vertices  are  repeated  [74]. 

If  a  graph  G  is  connected,  then:  (1)  the  largest  eigenvalue  of  A  has  multiplicity  one,  and  (2) 
the  second  smallest  eigenvalue  of  L  is  greater  than  zero  [85, 86]. 

Closely  related  to  idea  of  connectivity  is  the  number  of  components  of  a  graph.  A  compo¬ 
nent  of  G  is  a  connected  subgraph  of  G  that  is  not  a  proper  subgraph  of  any  other  connected 
subgraph  of  G  [74].  The  number  of  components  of  a  graph  G  is  denoted  by  A:(G).  As  re¬ 
lated  to  spectra,  k{G)  is  equal  to  the  multiplicity  of  the  smallest  eigenvalue  /i  =  0  of  the 
Laplacian  L  [86].  Thus,  a  graph  is  connected  if  and  only  if  k{G)  =  1,  since  it  only  has  one 
component. 

A  graph  G  is  bipartite  if  its  vertex  set  can  be  partitioned  into  two  distinct  sets  U  and  W 
such  that  every  edge  of  G  contains  a  vertex  from  U  and  a  vertex  from  W  [74].  As  relating 
to  spectra,  a  graph  G  is  bipartite  if  and  only  if  Spec  L  =  Spec  L^,  where  is  the  signless 
Laplacian  [81].  Recent  research  on  internet  topology  has  also  revealed  that  a  graph  is 
bipartite  if  the  normalized  Laplacian  has  an  eigenvalue  of  2  [87,  88].  Additionally,  an  r- 
regular  graph  is  bipartite  if  and  only  if  Ai  =  — r  [89]. 

Diameter 

Given  au  —  v  path,  the  length  of  a  path  is  the  number  of  edges  between  u  and  v.  The 
distance  between  u  and  v  is  the  length  of  the  smallest  u  —  v  path  in  a  graph  G.  The  diameter 
of  a  graph  is  the  greatest  distance  between  any  two  vertices  of  a  connected  G  [74].  The 
diameter  is  often  used  to  get  a  sense  of  how  large  a  component  is,  especially  useful  when 
analyzing  large  networks.  As  relating  to  spectra  [76,77],  if  a  connected  graph  G  has  d 
distinct  eigenvalues,  then  its  diameter  is  bounded  above  by  J  —  1,  i.e.,  diam(G)  <d—\. 
This  same  result  holds  for  Laplacian  eigenvalues  [81].  A  lower  bound  on  the  diameter  of  a 
graph  G  of  order  n  is  also  given  in  terms  of  the  second  smallest  Laplacian  eigenvalue  [80], 
pi,  as 

/  X  4 

Diam(G)  > - . 

np2 
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Second  Smallest  Eigenvalue 

The  second  smallest  eigenvalue  of  the  Laplacian  is  an  interesting  topic  in  the  field  of  spec¬ 
tral  graph  theory.  For  the  remainder  of  this  thesis,  we  refer  to  the  second  smallest  eigen¬ 
value  of  the  Laplacian  as  /i2,  also  called  the  Fiedler  value.  Miroslav  Fiedler  [90]  referred 
to  this  eigenvalue  as  the  algebraic  connectivity  of  a  graph  G.  As  mentioned  with  regards  to 
connectivity,  a  graph  G  is  connected  if  and  only  if  /i2  >  0.  Another  result  [91]  relates  the  al¬ 
gebraic  connectivity  with  the  number  of  vertices  in  a  graph  of  degree  n  —  1,  i.e.,  d*_i  <  /i2, 
where  is  the  number  of  vertices  of  degree  n  — I . 

Fiedler  also  found  relations  between  the  algebraic  connectivity  and  two  graph  parame¬ 
ters — vertex  connectivity  and  edge  connectivity.  In  order  to  understand  these  two  parame¬ 
ters,  we  need  the  idea  of  cuts.  A  vertex-cut  of  G  is  a  set  U  of  vertices  of  G  such  that  G  —  U 
is  disconnected,  i.e.,  subtracting  the  set  U  (and  the  edges  incident  with  these  vertices)  dis¬ 
connects  the  graph  G  into  components.  Thus,  the  vertex-connectivity  k(G)  of  a  graph  G 
is  the  cardinality  of  a  minimum  vertex-cut  of  G  [74].  Fiedler  [90]  proved  that  if  G  is  not 
a  complete  graph^,  then  ji2  <  K’(G)-  Similarly,  an  edge-cut  of  G  is  a  set  X  of  edges  of  G 
such  that  G  — A  is  disconnected.  Hence,  the  edge-connectivity  ri(G)  is  the  cardinality  of 
a  minimum  edge-cut  of  G  [74].  Once  again,  Fiedler  [90]  proved  that  jU2  <  ^  17(G). 

We  also  have  that  /i2  =  n  if  and  only  if  G  is  a  complete  graph  on  n  vertices. 

In  graph  theory  and  especially  in  network  science,  analysts  and  attackers  are  often  con¬ 
cerned  with  cuts.  In  any  model  network,  an  adversary  might  want  to  know  the  minimum 
number  of  edges  (links)  or  nodes  to  cut  before  the  entire  network  is  disconnected.  This  is 
a  classic  problem  in  graph  theory,  known  as  a  type  of  isoperimetric  problem.  In  spectral 
geometry,  the  isoperimetric  problem  is  to  find  a  closed  curve  of  a  given  length  that  encloses 
the  maximum  area.  In  graph  theory,  this  is  equivalent  to  removing  the  smallest  portion  of 
a  graph  that  disconnects  it  [79].  In  1970,  Cheeger* derived  bounds  for  ji2  on  a  Riemannian 
bounded  curve  in  terms  of  volumes  and  areas.  Noga  Alon  and  Vital!  Milman  [92]  extended 
this  to  a  graph,  giving  a  bound  for  ji2  in  terms  of  edge  cuts. 

Consider  a  graph  G  with  vertex  set  V(G).  We  would  like  to  split  the  graph  into  two  dis- 

complete  graph  of  order  n  has  (j)  edges  and  every  two  distinct  vertices  are  adjacent. 

^J.  Cheeger  wrote  "A  lower  bound  for  the  smallest  eigenvalue  of  the  Laplacian"  in  Problems  in  Analysis, 
1970. 
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connected  components  via  a  cut,  in  this  case  an  edge-cut.  An  edge-cut  is  defined  as  a 
bipartitition  of  V  (G),  denoted  by  E  (5,  S),  where  S  CV  (G),  S  =  V  (G)  \  S,  and  5  fl  5  =  0. 
We  also  define  the  edge-cut  5)  as  the  edge  boundary  dS  of  S.  The  cardinality  of  dS  is 
the  number  of  edges  with  one  endpoint  in  S  and  another  in  S.  This  quantity  is  then  related 
with  the  sizes  of  S  and  S,  yielding  a  ratio  of  the  proposed  cut  as 


hc{S) 


mm(|5|,  |5|) 


mm(|5|,  |5|) 


If  we  consider  this  formula  for  hQ{S) ,  then  the  Laplacian  matrix  is  a  better  consideration.  If 
using  weights,  it  is  often  better  to  use  the  normalized  Laplacian  to  account  for  the  distribu¬ 
tion  of  weights.  In  this  alternate  version  denoted  as  h'^^S),  the  term  volume  is  used  instead 
to  measure  the  size  of  S  and  S.  Let  the  volume  of  S  be  defined  as  vol(5)  =  Lve5^(^)- 
analogous  manner. 


h'c(S)  = 


\E(S,S)\ 


mm(vol(5),vol(S)) 

As  the  term  in  the  numerator  decreases,  the  overall  cut  ratio  decreases.  Thus,  an  opti¬ 
mal  edge-cut  translates  into  removing  the  fewest  edges.  This  minimum  ratio  is  called  the 
Cheeger  constant  of  a  graph,  i.e.. 


hG  =  vi\ihG{S)  or  l^r=  min  hriS), 
S  ^  ^  0C5CV(G)  ^ 


depending  on  which  version  of  the  Laplacian  is  used  [79, 83].  Finding  the  minimum  edge- 
cut  is  a  nontrivial  problem,  especially  when  the  order  gets  larger.  From  the  Cheeger  con¬ 
stant,  we  can  formulate  what  is  known  as  the  Cheeger  inequality. 

Theorem  5.3.2.  [79]  Let  0  =  /ii  <  /i2  <  ■  ■  ■  <  /in  be  the  eigenvalues  of  the  Laplacian  and 
Hg  be  the  Cheeger  constant  of  a  graph  G.  Then 


2/?g  >  At2  > 


^G 

2A(G)  ’ 


(5.1) 


where  A(G)  is  the  maximum  degree  of  G.  If  using  the  normalized  Laplacian,  then  the 
Cheeger  inequality  is  given  as 


2h'G  >ll2> 


(5.2) 
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This  remarkable  result  gives  us  an  upper  bound  for  /i2.  In  particular,  when  finding  the 
Cheeger  constant  appears  difficult,  it  can  be  estimated  with  /i2.  Control  of  /i2  implies 
control  of  the  Cheeger  constant  and  hence  edge-connectivity  [93].  A  small  value  for  /i2 
implies  a  small  number  of  edges  needed  to  disconnect  the  graph;  a  large  /i2  implies  many 
edges  are  required  in  an  edge-cut.  Cvetkovic  et  al.  [83]  provided  a  similar  result  containing 
the  edge  boundary  with  the  Laplacian  eigenvalues: 


III -  <  loSI  <  Hn -  1^2  < 


n\dS\ 


^  l^n 


(5.3) 


There  are  many  other  established  bounds  on  the  algebraic  connectivity,  but  we  only  mention 
one  more  that  relates  the  diameter  and  maximum  degree  of  a  graph.  This  result  is  due 
to  Alon  Nilli  [94],  although  the  notation  is  borrowed  from  [83].  If  G  is  connected  with 
maximum  degree  A(G)  and  diameter  d,  then 

fl2  <  A(G)  -  2VA(G)  -  1  + 

LIJ 


Largest  Eigenvalue 

The  largest  eigenvalue  of  A  is  known  as  the  spectral  radius  or  index  of  G.  Besides  the  other 
results  already  mentioned,  for  a  connected  graph  G  that  is  not  regular,  we  have  davg  <  < 

A(G),  where  davg  this  is  the  average  degree  of  G,  the  spectral  radius  of  G,  and  A(G) 
maximum  degree  of  G,  respectively  [81]. 

Spanning  Trees 

A  subgraph  H  of  a  graph  G  is  a  spanning  subgraph  if  it  spans  all  vertices  in  G,  i.e.,  H  and 
G  have  the  same  vertex  set.  If  //  is  a  tree^,  then  it  is  called  a  spanning  tree.  Spanning 
trees  have  many  applications  in  networks,  from  design  to  searching.  The  total  number  of 
spanning  trees  in  a  graph  G,  called  the  complexity  of  G,  is  determined  by  the  Laplacian 
spectrum  [83].  This  result  follows  from  the  matrix-tree  theorem. 

Theorem  5.3.3.  [80-83]  Let  G  be  a  connected  graph  with  Laplacian  matrix  L  and  eigen- 

tree  is  a  connected  graph  that  does  not  contain  cycles.  A  cycle  is  a  closed  circuit,  in  which  vertices 
may  be  repeated  but  edges  may  not. 
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values  0  =  /ii  <  <  . . .  <  /i„.  Then  the  number  of  spanning  trees  t(G)  of  G  is  equal  to 

any  cofactor  of  L.  Symbolieally, 

t(G)  =  det(L+  4-^)  = 

where  J  is  the  all-ones  matrix.  The  (z,  j)-cofactor  of  a  matrix  M  is  given  by 
(_l)'+idet(M(z,  j)),  and  M{iJ)  is  obtained  by  deleting  row  i  and  eolumn  j.  It  should  also 
be  noted  that  the  following  relationship  also  holds: 

adj(L)  =  T(G)7,  (5.5) 

where  adj(L)  is  the  adjugate  matrix  of  L,  i.e.,  the  transpose  matrix  of  the  eofaetors.  In  this 
theorem,  loops  are  ignored  sinee  a  tree  ean  not  eontain  a  elosed  path. 

Cliques  and  Independence  Number 

A  clique  (pronouneed  kleek  or  klik)  is  a  eomplete  subgraph  of  a  graph  G  [74].  This  ean 
also  be  thought  of  as  a  subset  of  the  vertex  set  V{G)  in  whieh  all  the  vertiees  are  pairwise 
adjaeent.  A  coclique  is  a  set  of  pairwise  nonadjaeent  vertiees  in  a  graph  G  [81].  The  clique 
number  (o(G)  a  graph  G  is  the  order  of  the  largest  elique  in  G,  while  the  independence  num¬ 
ber  a{G)  is  the  order  of  the  largest  eoelique  in  G.  We  now  present  some  bounds  on  these 
parameters  with  respeet  to  eigenvalues  of  A.  Finding  the  elique  number  and  independenee 
number  of  a  graph,  along  with  many  other  graph  invariants,  are  NP-eomplete^®problems. 
However,  determining  the  bounds  on  the  eigenvalues  ean  be  performed  in  polynomial  time. 


Theorem  5.3.4.  [83]  Let  G  be  a  graph  on  n  vertiees.  Let  zz+  and  n  denote  the  number  of 
positive  and  negative  eigenvalues  of  the  adjaeeny  matrix  of  G,  respeetively.  Then 

a{G)  <mm{n  —  n^ ,  n  —  n^}.  (5.6) 


NP-complete  problem  has  a  solution  that  can  be  verified  in  polynomial  time,  but  there  is  no  known 
algorithm  that  can  find  a  solution  in  polynomial  time.  NP  stands  for  nondeterministic  polynomial  time. 
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Theorem  5.3.5.  [83]  If  G  is  regular,  with  ordinary  spectrum  Ai  <  A2  <  ■  ■  ■  <  then 


Oc{G)  <  n 


Xn  —  Al 


(5.7) 


The  clique  number  (o{G)  is  bounded  above  by  the  spectral  radius  of  G  [85],  i.e.,  Co{G)  < 
A„  +  1.  Cvetkovic  et  al.  [83]  provided  a  slight  improvement  on  this  bound. 

Theorem  5.3.6.  [83]  Let  ,  m®,  m+  denote  the  number  of  eigenvalues  of  a  graph  G  which 
are  less  than,  equal  to,  or  greater  than  -1,  respectively.  Let  s  =  mm{nr  +  m®  +  1,  nP  + 
m+,  1+A„}.  Then  (o(G)  <  5.  If  5  =  m  +  nfi  +  1  and  the  eigenvalues  greater  than  - 1 
exceed  mT  +  nfi,  then  (o(G)  <5—1. 


Theorem  5.3.7.  [83, 95]  If  G  is  a  graph  with  n  vertices  and  m  edges,  then 


m(G)  > 


2m 

2m-A2' 


(5.8) 


Chromatic  Number 

The  chromatic  number  ;^(G)  of  a  graph  is  the  smallest  number  of  colors  in  a  proper  coloring 
of  G.  By  a  proper  coloring,  we  mean  an  assignment  of  colors  to  the  vertices  of  G,  such 
that  adjacent  vertices  are  colored  differently  [74].  Determining  the  chromatic  number  of  a 
graph  is  another  decision  problem,  yet  it  is  a  classic  exercise  in  graph  theory. 

Theorem  5.3.8.  [81,96]  Let  G  be  a  connected  graph  with  largest  eigenvalue  A„.  Then 
X{G)  <  +  1,  with  equality  if  and  only  if  G  is  complete  or  is  an  odd  cycle. 

Theorem  5.3.9.  [81, 83]  Let  G  be  a  graph  with  n  vertices  and  at  least  one  edge.  Then 

with  equality  if  G  is  a  nontrivial  complete  graph. 

Vladimir  Nikiforov  [97]  provided  another  lower  bound  on  the  chromatic  number  involving 
a  Laplacian  eigenvalue. 
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Theorem  5.3.10.  [83, 97]  Let  G  be  a  graph  with  n  vertices.  Then 


X{G)>1  + 


A 


n 


/tfj  Ai 


(5.10) 


Number  of  Walks 

Am  —  v-walk  in  a  graph  G  is  a  sequence  of  vertices  beginning  at  u  and  ending  at  v  such 
that  consecutive  vertices  in  the  sequence  are  adjacent  [74].  A  A:-walk  is  a  walk  of  length  k. 
Determining  if  a  graph  has  a  k-walk  is  an  NP-complete  problem  as  well. 

Lemma  5.3.11.  [76, 83]  Let  G  be  a  graph  with  adjacency  matrix  A.  The  number  of  walks 
of  length  k  in  G  that  start  at  vertex  i  and  end  at  vertex  j  is  given  by  the  (/,  j)  entry  of 
the  matrix  A^. 


Am  —  v-walk  is  closed  if  m  =  v.  The  number  of  closed  walks  of  length  k  is  given  by  [83] 

£A‘  =  Af  +  Aj‘  +  ...  +  A,;.  (5.11) 

1-1 

It  follows  from  Lemma  5.3.1 1  that  we  can  relate  the  eigenvalues  to  the  number  of  triangles 

and  edges  in  a  graph.  In  particular,  we  have  +  - =  2|£’(G)|,  since  the  trace  of 

A^  counts  the  number  of  closed  walks  of  length  two.  Also,  +  - h  =  6|r(G)  |, 

where  T (G)  is  the  number  of  triangles  in  a  graph. 

In  order  to  count  the  total  number  of  walks  of  length  k  in  a  graph,  we  must  first  consider  the 
product  j^A^j,  where  j  is  the  all-ones  vector  of  length  n.  Since  A  is  a  real  symmetric  matrix, 
its  eigenvalues  are  associated  with  orthonormal  eigenvectors.  Thus,  for  choice  of  constants 
Qi,  we  can  substitute  for  j  with  j  =  1  =  where  (j)i  is  the  eigenvector  corresponding 

to  A,.  Utilizing  this  substitution  [98],  we  have  that  the  total  number  of  walks  of  length  k  is 


A* 


y  i  J  \  i  J  i 


Alternate  approaches  to  the  total  number  of  walks  of  length  k  are  given  in  [77, 83]. 
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Strongly  Regular  Graphs 

A  strongly  regular  graph  is  an  r-regular  graph  on  n  vertices  with  the  parameters  {n,r,e,f) 
such  that  any  two  adjacent  vertices  have  e  common  neighbors  and  any  two  nonadjacent 
vertices  have  /  common  neighbors  [83].  Examples  of  strongly  regular  graphs  include  the 
5-cycle  C5  with  parameters  (5,2,0, 1)  and  the  Petersen  graph  with  parameters  (10,3,0, 1). 
The  Petersen  graph  is  referenced  below  in  Figure  5.5. 


Theorem  5.3.12.  [83,99]  Let  G  be  a  connected  r-regular  graph,  r  >  0.  Then  G  is  strongly 
regular  if  and  only  if  it  has  exactly  three  distinct  eigenvalues.  Furthermore,  if  these  eigen¬ 
values  are  Ai  =  r,  A2  =  5,  and  A3  =  t,  then 

sJ=^{e-f)±s/A  A  =  {e-ff  +  4{r-f). 


In  the  reverse  direction,  the  parameters  e  and  /  are  given  in  terms  of  the  eigenvalues  as 

^  (r  —  s)(r  —  t) 

e  =  r  +  s  +  t  +  st,  f  =  r  +  st,  n= - . 

r  +  st 


The  multiplicities  of  r, 5,  t  are  l,k,  I,  respectively,  where 


k,l= 


2r+in-\){e-f) 

a/A 
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Furthermore,  ifk  =  l  (which  only  happens  when  A  is  not  a  perfect  square),  then  the  strongly 
regular  graph  is  called  a  conference  graph.  If  the  graph  is  not  a  conference  graph,  then 
A  =  (5  —  is  a  perfect  square,  and  r,  5  and  t  are  all  integers. 


5.4  Cayley  Graphs 

Cayley  graphs  are  named  in  honor  of  British  mathematician  Arthur  Cayley  (1821-1895). 
Among  his  many  accomplishments,  Cayley  is  best  known  for  his  work  in  developing  mod¬ 
em  group  theory.  Cayley  is  also  credited  for  solidifying  matrix  theory  and  making  discov¬ 
eries  in  analytic  geometry. 

5.4.1  Definitions 

We  first  need  the  idea  of  a  Cayley  set  in  order  to  define  the  Cayley  graph  that  we  need  for 
aBF. 

Definition  5.4.1.  [39,41]  Let  F  be  a  group  with  identity  element  e.  Suppose  C  is  a  subset 
of  r.  C  is  called  a  Cayley  set  if  and  only  if  whenever  g  G  C,  then  eC,  and  e  ^C. 

Definition  5.4.1  follows  in  the  traditional  manner  of  defining  a  generating  set  for  a  finite 
group,  but  we  modify  it  by  allowing  the  identity  e  to  be  an  element  of  C.  This  exception 
allows  for  the  presence  of  loops  in  the  graph  [41]. 

Definition  5.4.2.  [41]  The  Cayley  graph  G  =  G(r,  C)  of  F  with  respect  to  C  is  the  graph 
whose  vertex  set  is  F,  with  two  vertices  g  and  h  adjacent  if  gh^^  G  C. 

We  now  proceed  to  associate  the  Cayley  graph  to  a  BF,  /  :  F2  — )■  F2.  Recall  that  F2  is  a 
vector  space,  and  for  any  vector  w  G  F^,  w  =  w^^  with  respect  to  the  XOR  operation.  Since 
every  vector  is  equal  to  its  inverse  in  this  group,  any  subset  of  F^  is  a  Cayley  set.  The  subset 
we  choose  is  the  support  of  /,  i.e.,  =  {jc  G  F2  :  f{x)  =  1}.  We  can  now  define  a  Cayley 

graph  for  a  BF. 

Definition  5.4.3.  [39,41]  Let  /  be  a  BF  on  F^.  Define  the  Cayley  graph  of  /  with  respect 
to  the  set  Q.f  as  the  graph  F/^  =  (F2,  Ef).  The  vertex  set  of  Fy  is  F^,  while  the  edge  set  is 
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defined  by 


Ef  =  {(w,m)  G  F2  X  F2  :  w©m  G  Q.f} 

=  {(w,m)  g  F2  X  F2  :  /(w©m)  =  1}. 


It  follows  from  Definition  5.4.3  that  the  adjaceney  matrix  Ay  of  Fy  is  the  array  of  entries 
aij  =  f{b{i)  ©^(j)),  where  b{i)  =  a,  is  the  binary  representation  of  the  veetor.  The  adja¬ 
ceney  matrix  Ay  has  the  following  properties  [39,41]: 

i)  The  row  sums  of  Ay  are  equal  to  |  Qy  | ; 

ii)  Property  i)  implies  that  F/-  is  a  regular  graph  of  degree  wt{f)  =  |Qy|; 

iii)  Ay  has  the  dyadic  property  [100]:  atj  =  ^  —  03  — 

iv)  Ay  is  an  2"  X  2”  symmetric  matrix. 


5.4.2  Boolean  Cayley  Graphs  and  their  Spectra 

For  clarity,  we  now  refer  to  Definition  5.4.3  as  the  one  for  Boolean  Cayley  graphs.  BFs 
and  their  Walsh  spectra  have  been  analyzed  extensively  in  the  last  50  years,  especially  with 
regards  to  their  associated  cryptographic  properties.  The  Cayley  graph  has  also  received 
much  attention  in  the  works  of  Laszlo  Babai  [101]  and  Laszlo  Lovasz  [102],  in  particular 
with  regards  to  its  graph  spectra.  With  the  arrival  of  the  Boolean  Cayley  graph,  however, 
we  now  have  a  means  to  examine  the  graph  spectra  of  a  BF.  The  seminal  work  on  Boolean 
Cayley  graphs  and  their  spectra  was  performed  by  Bernasconi  and  Codenotti  [41],  a  sum¬ 
mary  of  which  is  presented  here. 

Theorem  5.4.4.  Let  /  :  F2  — ?■  F2,  and  let  A/,  0  <  z  <  2"  —  1,  be  the  eigenvalues  of  the  asso¬ 
ciated  Cayley  graph  F y.  Then,  there  is  a  one-to-one  correspondence  between  the  spectrum 
of  Fy  and  the  Walsh  spectrum  of  /,  i.e..  A,-  =  F{b{i)),  for  any  i. 


Proof:  Recall  that  we  defined  the  group  character  of  F2  as  the  function  (jc)  =  ( —  1 )  . 

The  eigenvectors  of  Fy  are  equal  to  the  characters  Qw{x).  Then,  the  zth  eigenvalue  of  A  y. 
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corresponding  to  the  eigenveetor  Qb{i)  is  given  by 


=  Ee»w/w  =  £(-i)<“'->/w 

X  X 

EXAMPLE  5.4.5.  Let  us  use  the  funetion  from  Example  4.5.4,  f  ¥2  with  ANF 

given  by  l©.ri©X2. 


F{w)^W(f){w)^  £/(„). 

jceF^ 

F(00)  =  l(-l)®  +  0  +  0+l(-l)0  =  2 
F(01)  =  l(-l)®  +  0  +  0+l(-l)^  =0 
F(10)  =  l(-l)®  +  0  +  0+l(-l)^  =0 
F(ll)  =  1(-1)®  +  0  +  0+1(-1)2  =  2 

Ao  =  F(00)  =  2 
Ai  =F(01)  =0 
A2  =  F(10)  =0 
A3=F(11)=2 


We  must  be  eareful  here  not  to  eonfuse  the  subseript  notation  of  the  Cayley  graph  eigenval¬ 
ues  with  the  ordinary  speetrum  presented  in  Subseetion  5.3.1.  Translating  the  eigenvalues 
of  this  funetion  to  the  speetrum  notation  of  an  adjaeeney  matrix,  we  have 


Spee  r f 


Theorem  5.4.4  is  a  remarkable  result  not  only  beeause  it  links  BFs  to  speetral  graph  the¬ 
ory,  but  it  ean  save  eomputational  time.  There  are  numerous  eomputer  programs  that  ean 
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quickly  compute  the  WT  of  a  BF.  In  order  to  compute  the  eigenvalues  of  A  f,  however, 
we  must  first  collect  all  of  the  vector  combinations  in  the  support  of  /  and  then  create  the 
2”  X  2"  matrix.  For  large  n,  this  can  be  time  consuming.  For  this  thesis,  in  particular  for 
Chapter  6,  Theorem  5.4.4  only  holds  if  we  assign  a  weight  of  one  to  a  loop  in  a  pseudo¬ 
graph.  If  a  loop  is  assigned  a  weight  of  two,  then  we  do  not  see  a  one-to-one  correspondence 
between  the  WT  and  the  Cayley  spectra. 

Figure  5.6  depicts  the  Cayley  graph  from  Example  5.4.5.  Using  some  of  the  results  from 
Section  5.3.1,  we  can  make  some  comments  about  this  graph.  We  know  that  the  Cayley 
graph  is  regular,  and  using  the  adjacency  matrix  for  this  function,  the  row  sums  of  Ay  are 
two.  Thus,  Fy  is  2-regular.  Regularity  also  implies  that  r  =  2  is  an  eigenvalue  of  Fy,  and 
all  other  eigenvalues  have  absolute  value  less  than  or  equal  to  2.  We  can  clearly  see  that  the 
graph  in  Figure  5.6  is  disconnected.  This  is  verified  because  the  largest  eigenvalue  A3  =  2 
does  not  have  multiplicity  one.  Also,  the  Laplacian  eigenvalues  (which  in  this  case  happen 
to  be  the  same  as  the  adjacency  matrix)  tell  us  that  Fy  is  disconnected  since  the  multiplicity 
of  0  implies  that  the  graph  has  k{G)  =  2  components.  With  regards  to  diameter,  we  do 
not  define  the  diameter  of  a  disconnected  graph.  However,  the  diameter  of  a  component  is 
possible  to  examine  and  since  the  components  of  the  graph  in  Figure  5.6  are  the  same,  we 
deduce  that  the  diameter  of  a  component  is  1 .  This  is  verified  with  the  eigenvalues  of  an 
adjacency  matrix  for  one  component,  which  are  0  and  2.  The  diameter  is  bounded  above 
by  J  —  1,  where  d  =  2  for  the  number  of  distinct  eigenvalues.  In  this  case,  we  know  that 
diam(G)  <2—1  =  1.  It  is  not  very  helpful  to  examine  F y  with  some  of  the  other  results 
since  the  graph  is  disconnected,  but  this  will  be  looked  at  closer  in  Chapter  6. 
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Figure  5.6:  Cayley  Graph  F y  for  the  Function  1  ©.ri  ©.r2- 


Let  {Qf)  C  F2  be  the  space  of  the  (0, 1)  sequences  generated  by  Qy  and  let  dim(Qy)  be 
its  dimension  [39,41].  Given  this,  observe  that  f^y  =  {00, 11}  in  Example  5.4.5.  Since 
the  zero  vector  is  not  part  of  a  basis,  this  space  has  dimension  one,  i.e.,  dim(f2^)  =  1. 
With  this  new  concept,  we  can  state  some  more  results  on  Boolean  Cayley  spectra,  taken 
from  [39,41]. 

5.4.3  Further  Spectral  Properties  of  Boolean  Cayley  Graphs 

This  section  lists  some  other  properties  relating  the  Cayley  spectra  to  graph  properties  as 
well  as  BF  properties.  For  some  of  these  results,  it  is  assumed  that  n>  4,  and  these  are 
marked  with  a  (*). 

i*)  The  multiplicity  of  the  largest  spectral  coefficient  of  /,  F(^(0)),  is  equal  to 

dim(fly) 

ii)  If  dim(Qy)  =  n,  then  Fy  is  connected. 

iii*)  If  Fy  is  connected,  then  /  has  a  spectral  coefficient  equal  to  -wt{f)  if  and  only  if  its 
Walsh  spectrum  is  symmetric  with  respect  to  zero, 
iv*)  Fy  is  bipartite  if  and  only  if  the  Walsh  spectrum  of  /  is  symmetric  with  respect 
to  zero.  Furthermore,  Fy  is  bipartite  if  and  only  if  F2\f2y  contains  a  subspace  of 
dimension  n—\. 

V*)  The  number  of  nonzero  spectral  coefficients  is  equal  to  rank(A y). 
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vi*)  If  has  two  distinct  eigenvalues,  then  its  eonneeted  eomponents  are  eomplete 
graphs  and  U  {^(0)}  is  a  group. 

vii*)  If  Fy  has  three  distinet  eigenvalues  none  of  whieh  is  zero,  then  these  eigenvalues  are 

Ao  =  |f^/|  =  wt(/),  A2  =  — Ai  = 

where  e  is  the  parameter  of  a  strongly  regular  graph, 
viii*)  A  BF  defined  on  F2  (n  even)  is  bent  if  and  only  if  its  assoeiated  Cayley  graph  Fy  is  a 
strongly  regular  graph  with  the  additional  property  that  e  =  f. 
ix)  Assume  n  >  4.  IfFy  is  triangle  free,  then  /  is  not  bent. 

X*)  If  Fy  is  the  Cayley  graph  of  /  with  eigenvalues  Ai  <  <  ■  ■  ■  <  Av  and  g  being  the 

multiplieity  of  Ai,  then 

min|g+l,l-^^|  <  A(Fy)  <  |%|, 

provided  Av_i  0. 

xi*)  A  BF  is  correlation  immune  of  order  i  if  and  only  if  the  eigenvalues  of  its  assoeiated 
Cayley  graph  satisfy  A,  =  0  for  all  i  with  1  <  wt{b{i))  <  £.  Resilieney  follows  if 
Ao  =  2"-i. 
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CHAPTER  6: 
DES  Spectra 


In  this  chapter,  the  S -Boxes  of  DES  are  examined  in  several  ways.  First,  we  find  the  BE 
representation  for  eaeh  of  the  eoordinate  funetions  within  an  S-Box.  The  relevant  eryp- 
tographie  properties  of  these  funetions  are  then  eomputed  and  eompared  to  eaeh  other. 
Seeond,  we  assoeiate  the  BFs  to  a  Cayley  graph  and  examine  the  speetra  of  these  graphs. 
With  the  spectra  and  cryptographic  properties  of  the  funetions  on  hand,  we  ean  deduee 
some  properties  of  the  Cayley  graph. 

6.1  Methods 

Reeall  from  Chapter  4  that  an  S-Box  is  a  funetion  /  :  — )■  F^.  For  DES,  this  funetion 
is  F  :  F2  — )■  F2.  Eaeh  of  the  boxes  eontains  four  eoordinate  BFs,  represented  as  F{x)  = 
(/i(jc),/2(jc),/3(jc),/4(jc)),  where  eaeh  /,■  is  a  mapping  from  the  veetor  spaee  F2  to  the 
binary  field  F2,  i.e.,  fi :  F^  — )■  F2.  As  an  example  of  our  approaeh,  reeonsider  S-Box  1  from 
Table  3.10,  displayed  for  the  reader  below. 


S-Box  1 

ROW/COE 

0000 

0001 

0010 

0011 

0100 

0101 

0110 

0111 

00 

1110 

0100 

1101 

0001 

0010 

nil 

1011 

1000 

01 

0000 

nil 

0111 

0100 

1110 

0010 

1101 

0001 

10 

0100 

0001 

1110 

1000 

1101 

0110 

0010 

1011 

11 

nil 

1100 

1000 

0010 

0100 

0100 

0001 

0111 

ROW/COE 

1000 

1001 

1010 

1011 

1100 

1101 

1110 

nil 

00 

0011 

1010 

0110 

1100 

0101 

1001 

0000 

0111 

01 

1010 

0110 

1100 

1011 

1001 

0101 

0011 

1000 

10 

nil 

1100 

1001 

0111 

0011 

1010 

0101 

0000 

11 

0101 

1011 

0011 

1110 

1010 

0000 

0110 

1101 

Sinee  eaeh  eoordinate  funetion  has  a  total  of  2°  input  veetors,  the  S-Box  entries  represent 
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the  64  output  bits  to  these  funetions.  Thus,  as  a  truth  table  funetion,  /i  has  the  following  se¬ 


quence  of  outputs:  (1, 1, 1,0,0, 1,0,0, 1, 1,0, 1,0, 0,0, 1,0,0, 1,0, 1, 1, 1, 1, 1,0, 1, 1, 1,0,0, 
0,0,0, 1, 1, 1,0, 1,0,0, 1, 1,0, 1, 1,0, 0,0, 1,0, 1, 1,0,0, 1,0, 0,0, 0,0, 1, 1, 1),  corresponding  to 


the  entries  of  the  first  (00)  row  in  S-Box  1. 


The  ordering  of  input  variables  we  choose  is  in  reverse  order,  i.e.,  /(x6,X5,X4,X3,X2,xi). 
Again,  the  ordering  of  the  variables  is  unimportant.  Table  6.1  depicts  the  first  10  entries  of 
the  truth  table  for  /i  as  an  explanation  of  the  variable  ordering. 


X6 

X5 

X4 

-^3 

Xl 

f 

0 

0 

0 

0 

0 

0 

1 

0 

0 

0 

0 

0 

1 

1 

0 

0 

0 

0 

1 

0 

1 

0 

0 

0 

0 

1 

1 

0 

0 

0 

0 

1 

0 

0 

0 

0 

0 

0 

1 

0 

1 

1 

0 

0 

0 

1 

1 

0 

0 

0 

0 

0 

1 

1 

1 

0 

0 

0 

1 

0 

0 

0 

1 

0 

0 

1 

0 

0 

1 

1 

Table  6.1:  First  10  Truth  Table  Entries  for  S-Box  1. 


The  unique  truth  table  output  is  then  input  into  a  software  program  to  compute  the  various 
cryptographic  properties  of  the  BFs.  For  this  thesis,  multiple  programs  are  used  for  analysis 
in  order  to  verify  accuracy,  and  these  include  SageMathCloud'^’^,  R®  and  R-Studio®,  as 
well  as  Boolean  Functions  Workshop  1.3®.  The  adjacency  matrix  Ay  is  then  formed  from 
the  definitions  in  Chapter  5.  Note  that  for  any  vector  w  in  F^,  w©  w  =  0  over  the  binary  field 
F2.  Thus,  since  an  edge  (w,m)  is  present  in  the  associated  Cayley  graph  if  /(w©m)  =  1, 
then  /(w  ©  w)  =  1  implies  the  presence  of  a  loop.  Hence,  if  the  first  output  in  a  function’s 
truth  table  sequence  is  a  one,  then  the  associated  Cayley  graph  has  a  loop  at  every  vertex. 

The  adjacency  matrix  is  then  input  into  MATFAB®,  where  the  eigenvalues  are  computed 
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and  compared  to  the  corresponding  function’s  WT  for  verification.  The  adjacency  matrix 
is  also  imported  into  MATLAB®  and  Gephi®  to  produce  a  graph. 


6.2  DES  S-Box  Spectra 

This  section  details  the  results  obtained  via  the  methods  in  Section  6.1.  Each  S-Box  is 
given  its  own  subsection  for  reader  clarity.  Recall  that  the  notation  we  adopt  for  spectra  is 
given  by  Definition  5.3.1. 

6.2.1  S-Box  1 

The  ANFs  for  the  coordinate  functions  are  displayed  in  Table  6.2. 


Function 

ANF 

Number  of  Terms 

Degree 

/i 

1  ©  X3  ©  X5  ©  X6  ©  XiX2  ©  X1X3  ©  X2X4  © 

X2X5  ©  X4X5  ©  X2X6  ©  X5X6  ©  X1X3X4  © 

X2X3X4  ©  X1X3X5  ©  X2X3X5  ©  X1X4X5  © 

X3X4X5  ©X1X2X6©X2X3X6  ©X1X4X6  ©X2X4X6  © 

X1X5X6  ©  X4X5X6  ©  X1X2X3X5  ©  X1X3X4X5  © 

X2X3X4X5  ©  X1X3X4X6  ©  X2X3X5X6  ©  X1X4X5X6  © 

X1X2X3X4X5  ©X1X2X3X5X6 

31 

5 

h 

X3  +  X5  +  X6  +  X1X4  +  X2X4  +  X3X4  +  X1X6  + 

X5X6  +  X1X2X4  +  X2X3X4  +  X1X2X5  +  X2X3X5  + 

X1X4X5  +X3X4X5  +X2X3X6  +X2X5X6  +X4X5X6  + 

X1X2X4X5  +X2X3X4X5  +X1X2X4X5  +X1X3X4X6  + 

X2X3X4X6  +X1X2X5X5  +X2X3X5X5  +X1X4X5X6  + 

X2X4X5X6  +X1X2X3X4X6  +X1X2X4X5X6 

28 

5 

h 

Xi  +  X4  +  X5  +  X6  +  X1X2  +  X1X3  +  X1X4  + 

X1X5  +  X2X5  +  X3X5  +  X1X5  +  X4X6  +  X2X3X4  + 

X1X4X5  +X1X2X6  +X1X3X6  +X2X3X6  +X2X4X6  + 

X3X4X6  +  X1X5X6  +  X1X2X3X5  +  X1X3X5X6  + 

X1X4X5X6  +  X1X2X3X4X5  +  X1X2X3X4X6  + 

X1X2X3X5X6 

26 

5 

h 

1  +  X5  +  X6  +  X2X3  +  X1X4  +  X2X4  +  X3X4  + 

X1X5+X3X5+X1X6+X3X6+X1X2X4+X1X3X4  + 

X2X3X4  +X1X2X5  +X2X4X5  +X2X3X6  +X3X4X6  + 

X1X5X6  +  X3X5X6  +  X4X5X6  +  X1X2X3X5  + 

X1X2X4X5  +X2X3X4X5  +X1X2X3X5  +X1X2X4X6  + 

X1X3X4X6  +X1X2X5X6  +X1X3X5X5  +X1X4X5X6  + 

X2X4X5X6  +X1X2X3X4X5  +X1X2X4X5X6 

33 

5 

Table  6.2:  ANF  and  Degree  of  S-Box  1  BFs. 
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Tables  6.3,  6.4,  6.5,  and  6.6  display  the  various  spectra  for  these  same  functions  as  well  as 
their  relevant  cryptographic  criteria. 


Function 

Walsh  Spectra  and  Walsh-Hadamard  Spectra 

/i 

W:  (32, 0,0, 0,0, 0,-4, -4, 2, 2, -2, -2, -2, -2, -2, -2, 0,0, 4, -4, 8, 0,0, 0,-2, 6, -2, -2, 2, 2, -2, 6, 2, 2, 2, 2, 

6. 6. 2. 2. 0,0,4, -12, -8, 8, 0,0 -2, -10, 2, 2, 2. 2. 10. 2. 0.0, 8, 0,8, 0,-4, -4) 

WH:  (O.O.O.O.O.0. 8. 8, -4, -4, 4, 4,4,4, 4, 4, 0,0. -8. 8, -16.0. 0.0.4, -12,4,4, -4, -4, 4, -12, -4, -4, -4, -4, 

-  12, -12, -4, -4,0, 0,-8, 24, 16, -16, 0,0, 4, 20, -4, -4, -4, -4, -20, -4, 0,0, -16, 0.-16, 0,8, 8) 

h 

W:  (32, 0,0, 0,2, 2, 2, 2, 0.4. 0.-4. -6. 6. 2, 6, 2, 2, 2, -6, -8, 0,0, 0,-2, 2, -2. 2. -4, 0,-4, 0.0. -4.0. 

-4, 2. -2. 2. -2.0, 8, 0,0, -6, -6, 2, -6, -2, -6, -2, 2, -4, 0,-12, 0,2, -6, 2, 10. -8. 0.8,0) 

WH:  (0, 0,0,0, -4, -4, -4, -4, 0,-8, 0,8, 12, -12, -4, -12, -4, -4, -4, 12, 16, 0,0, 0,4, -4,4, -4, 8, 0,8, 0,0, 8,0, 

8,-4,4,-4,4,0,-16,0,0,12,12,-4,12,4,12,4,-4,8,0,24,0,-4,12,-4,-20,16,0,-16,0) 

h 

W:  (32, 0,0, 0,4, -4, 0,0, 2, -2. 2. -2. 2. -2. -2. 2. 2. -2. 6, 2, 2, 6, 2, -2, -4, -4, 0,0, 0,0, 0,-8, -2. 2, 2. -2. 

-2, 2, 6, -6, -4, -12, 0,0, 0,0, 8, 8, -8, 0,0, 0,4, -4, 0,-8, -2.2, -10, 2, -10, 2, 2, -2) 

WH:  (0.0.0.0.-8.8,0,0,  -4,4,  -4,4,  -4,4,4,  -4,  -4,4,  -12,  -4,  -4,  - 12. -4.4. 8. 8. 0,0, 0,0,0, 16,4,  -4,  -4,4, 

4,-4,-12,12,8,24,0,0,0,0,-16,-16,16,0,0,0,-8,8,0, 16, 4, -4, 20, -4, 20, -4, -4,4) 

u 

W:  (32, 0,0, 0,-2, -2, -2, -2,0, 0,4,4, 6. -2. 2. -6,4.4, 0,0, 2, -6, -2, 6, 8, -8, 0,0, -2, -2, -2, -2, -2, -2, 2, 

2, 0,0,4,4, 6, -2, 6, -2, 0,0, -8, -8, -2, 6, 6, -2, 8, 8, 0,0, 2, 2, -2, -2,4,4, -8, 8) 

WH:  (0,0,0,0,4,4,4,4,0,0,-8,-8,-12,4,-4, 12.-8,-8,0,0,-4,12,4,-12,-16, 16,0,0,4,4,4,4,4,4,-4, 

-4,0,0,-8,-8,-12,4,-12,4,0,0, 16, 16,4,-12,-12,4,-16,-16,0,0,-4,-4,4,4,-8,-8,16,-16) 

Table  6.3:  Walsh  Spectra  and  Walsh-Hadamard  Spectra  of  S-Box  1  BFs. 


Function 

Cayley  Graph  Spectra  (Ai  <  A2  <  <  A„) 

Distinct  A, 

/i 

(  -12  -10  -8  -4  -2  0  2  4  6  8  10  32  ^ 

\  1  1  5  11  18  15  2  4  4  1  1  y 

12 

fi 

/  -12  -8  -6  -4  -2  0  2  4  6  8  10  32  \ 

\  \  2  7  6  6  19  16  1221  iy 

12 

h 

1 

^  -12  -10  -8  -6  -4  -2  0  2  4  6  8  32  ' 

^  1  2  3  1  5  11  18  15  2  3  2  1  ^ 

r 

12 

/4 

/  -8  -6  -2  0  2  4  6  8  32  \ 

\  4  2  18  15  6864  ly 

9 

Table  6.4:  Cayley  Graph  Spectra  of  S-Box  1  BFs. 
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Table  6.5:  Laplacian  Spectra  of  Cayley  Graphs  Associated  with  S-Box  1  BFs. 


Crypto  Property 

/i 

fi 

h 

/4 

Degree 

5 

5 

5 

5 

Balanced 

Yes 

Yes 

Yes 

Yes 

Weight 

32 

32 

32 

32 

Nonlinearity 

20 

20 

20 

24 

Algebraic  Immunity 

3 

3 

3 

3 

Correlation  Immunity  Order 

0 

0 

0 

0 

Resiliency  Order 

0 

0 

0 

0 

Table  6.6:  Cryptographic  Properties  of  S-Box  1  BFs. 


Figure  6.1  represents  the  Cayley  graph  for  the  first  row  BF.  Due  to  software  limitations, 
loops  are  not  present. 
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Figure  6.1:  Cayley  Graph  Representation  for  /i  of  S-Box  1,  Loops  Not  Present. 


Spectral  Observations 

Here  we  state  some  observations  from  the  Cayley  graphs  of  S-Box  1  with  the  relations 
given  in  Chapter  5. 

Regularity:  The  Cayley  graphs  associated  with  all  of  the  32  BFs  are  regular  of  degree 
wt(/)  =  |%|=32. 

Connectivity:  This  is  apparent  from  the  first  graph  in  Figure  6.1,  but  all  graphs  Fy  are 
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connected  since  the  multiplicity  of  =  32  is  1  (also  /i2  >  0  and  dim(f2/^)  =  6). 
Additionally,  since  m(/ii)  =  1,  then  F f  has  one  component.  Since  none  of  the  Walsh 
spectra  are  symmetric  with  respect  to  zero,  we  do  not  see  any  Cayley  spectra  where 
h  =  -32. 

Bipartite:  None  of  the  graphs  are  bipartite  since  the  Walsh  spectra  is  not  symmetric  with 
respect  to  0. 

Rank:  The  ranks  of  the  adjacency  matrices  A  f.  are  equal  to  46, 45, 46,  and  49,  respectively. 

Diameter:  The  diameters  of  the  Cayley  graphs  associated  with  S-Box  1  are  bounded  ac¬ 
cording  to  the  following  inequalities: 

0.0028  <  Diam(r/)  <  12  -  1  =  11; 

0.0028  <  Diam(r/)  <  12  -  1  =  11; 

0.0026  <  Diam(r/)  <  12  -  1  =  11; 

0.0026  <  Diam(r/)  <9-1  =  8. 

Using  SageMathCloud^M^  we  determine  the  diameter  to  be  2  for  all  four  of  the  Cayley 
graphs. 

Edge  Connectivity:  Since  /i2  is  22  or  24,  we  have  an  idea  for  the  number  of  edges  needed 
in  an  edge-cut  of  the  Cayley  graphs. 

Spanning  Trees:  The  Cayley  graphs  for  these  functions  have  large  complexities.  Chap¬ 
ter  5  provided  a  formula  for  the  number  of  spanning  trees  in  a  graph  in  terms  of  the 
nonzero  Laplacian  eigenvalues.  It  is  also  known  that  for  r-regular  graphs  of  order  n, 
the  complexity  of  the  graph  G  is  bounded  above  [76]  by 


1(G)  < 


1 

n 


The  number  of  spanning  trees  in  these  graphs  are  approximately  2.277  x  10^^,  1 .73 1  x 
10^^,  1.7648  X  10^^,  and  2.2708  x  10^^.  These  complexities  achieve  close  to  the  up¬ 
per  bound  of  2.8129  x  10^^,  but  interestingly  r/4  has  the  smallest  complexity  and 

"For  many  of  these  graph  properties,  we  consider  only  the  underlying  simple  graph  for  those  pseudo¬ 
graphs  with  loops,  since  many  graph  parameters  are  only  defined  on  simple  graphs. 
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also  the  smallest  number  of  distinct  eigenvalues  (and  consequently  a  tighter  upper 
bound  on  diameter). 

Clique  and  Independence  Number:  We  have  bounds  for  the  clique  number  based  off  the 
details  in  Chapter  5,  and  these  are  universal  for  all  of  the  S-Boxes  since  they  are  in 
terms  of  the  spectral  radius.  Thus,  we  have  2  <  £t)(r f)  <  33  for  the  entire  set  of 
S-Boxes.  This  bound  is  not  ideal,  since  we  would  like  a  tighter  interval.  Methods 
are  available,  however,  for  computing  the  clique  number  of  a  graph  with  the  aid  of 
NetworkX®  and  Python™.  Using  SageMathCloud™,  we  compute  the  clique  number 
to  be  8  for  all  four  graphs,  i.e.,  (o{rf)  =  S.  For  the  independence  number,  we  have 
an  upper  bound  based  on  the  inequality  in  Chapter  5  for  regular  graphs.  Hence, 
a(r  f)  is  bounded  above  by  17.4545, 17.4545, 17.4545,  and  12.8,  respectively.  Using 
the  Independent  Set  Algorithm®  by  Dharwadker  [103],  however,  the  independence 
number  is  found  to  he  a{r f)  =  S  for  the  S-Box  1  Cayley  graphs. 

Chromatic  Number:  The  bounds  for  x{G)  given  in  Chapter  5  give  us  that  3.6  <  x{h' f)  < 
32.  We  can  increase  the  lower  bound  slightly  since  it  is  known  that  ^  <  X-  Hence, 
8  <  z(r/)  <  32.  Using  SageMathCloud™,  we  compute  the  chromatic  number  also 
to  be  8  for  all  four  graphs. 

6.2.2  S-Box  2 

In  this  subsection,  we  mimic  the  approach  taken  in  Subsection  6.2.1,  with  less  explanation. 

S-Box  2  is  displayed  in  Table  6.7. 


S-Box  2 

ROW/COL 

0000 

0001 

0010 

0011 

0100 

0101 

0110 

0111 

00 

nil 

0001 

1000 

1110 

0110 

1011 

0011 

0100 

01 

0011 

1101 

0100 

0111 

nil 

0010 

1000 

1110 

10 

0000 

1110 

0111 

1011 

1010 

0100 

1101 

0001 

11 

1101 

1000 

1010 

0001 

0011 

nil 

0100 

0010 

ROW/COL 

1000 

1001 

1010 

1011 

1100 

1101 

1110 

nil 

00 

1001 

0111 

0010 

1101 

1100 

0000 

0101 

1010 

01 

1100 

0000 

0001 

1010 

0110 

1001 

1011 

0101 

10 

0101 

1000 

1100 

0110 

1001 

0011 

0010 

nil 

11 

1011 

0110 

0111 

1100 

0000 

0101 

1110 

1001 

Table  6.7:  S-Box  2  in  Binary  Form. 
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The  BFs  in  S-Box  2  are  converted  to  their  ANFs  in  Table  6.8.  Tables  6.9,  6.10,  6.11,  and 
6.12  follow  in  the  same  manner  as  before. 


Function 

ANF 

Number  of  Terms 

Degree 

/i 

1  ©  X3  ©  X5  ©  XiX4  ©  X2X4  ©  X3X4  ©  X1X5  © 

X2X5  ©  XlX(,  ©  X2X(,  ©  X4V6  ©  X5V6  ©  X1X2X3  © 

X1X2X4  ©X1X3X4  ©X2X3X4  ©X2X3X5  ©X2X4X5  © 

X2X4Xe  ©  X3X4V6  ©  X2X5X6  ©  X1X2X3X4  © 

X1X2X4V5  ©X2X3X4X5  ©V1X3X4V6  ©X2X3X4X6  © 

X1X2X2X4X5  S)XiX2X2X5X^ 

28 

5 

fi 

X2  ©  X3  ©  X5  ©  X6  ©  X1X4  ©  X2X4  ©  X3X4  © 

X2X5  ©  X4X(,  ©  X1X2X2,  ©  X1X2X4  ©  X2X2X4  © 

X2X3X5  ©X2X3X6  ©X1JC4V6  ©X3JC4X6  ©X1JC5X6  © 

XiX^Xfi  ©  X1X2X2X4  ©  X1X3X4V5  ©  X2X2,X4X5  © 

XiX2X2X(i  (B  XiX2X4X(i 

23 

4 

h 

X3  ©  X5  ©  X1X4  ©  X2X4  ©  X1X5  ©  V1JC6  © 

X4X(,  ©  X1X2X3  ©  X1X2X4  ©  X2X3X4  ©  X2X3X6  © 

XiXsXf,  ©  X2X5V6  ©  X1X2X3X4  ©  X1X2V4X6  © 

XiX3X4X(,®XiX3X5X(,  ©X2X3X5X6  ®X2X4X3X(,  © 

X1X2X3X5JC6  ©X1X2X4V5X6 

21 

5 

/4 

1  ©  X2  ©  X5  ©  XiX2  ©  X1X3  ©  X1X4  ©  X2X4  © 

X3X4  ©  X3X3  ©  X1V6  ©  X2X(,  ©  X3X6  ©  X4X6  © 

X1X2X4  ©  X\X2X3  ©  X1X3V5  ©  X2X3X3  © 

X1X3X6  ©  X2X3X6  ©  X\X4X(,  ©  X3X4X6  © 

X1V5X6  ©  X1X2V3X4  ©  X1X3X4X3  ©  XiX2X3X(,  © 

X1X2X4V6  ©xiX3X4a:6  ©X2X3X4X6  ©X2X4X5X6  © 

X1X2X3V4X5  ©  JC1X2X3V4X6  ©  X1X2X3X5X6  © 

X1X2X4X5X6 

33 

5 

Table  6.8:  ANF  and  Degree  of  S-Box  2  BFs. 
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Function 

Walsh  Spectra  and  Walsh-Hadamard  Spectra 

/i 

W:  (32, 0,0, 0,0, 0,0, 0,2. -2. -2. 2. 6. 2. 10, -2, 4, 0,0, 4, -4, 8, 0,4, 2, -6, -6, 2. 6. -2. -2. 6. 

2. 2. -2. -2. 2. 2, -2. -2,4. 0,-4, 0,0, -4, 0,-12, -2, 2, 6, 2.6. -6. 6, 2. -4. -4.0, 0,8, 8, -4, -4) 

WH:  (0.0.0.0.0.0.0.0,-4,4,4,-4,-12,-4,-20,4,-8,0.0.-8,8.-16.0.-8.-4.12.12,-4,-12,4,4,-12. 

-4, -4, 4.4. -4. -4.4.4. -8, 0,8, 0,0, 8, 0,24, 4, -4, -12. -4. -12. 12, -12, -4, 8, 8, 0,0, -16, -16, 8. 8) 

h 

W:  (32, 0,0, 0,0, 0,0, 0,0, 0,0, 0,8, 0,0, -8, -4, -4, 0,0, -4, -4, 0,0, 0,0, 4, 4, 0,8, -4, 4, 4, 0,0, -4, -4, 0,0, 4, 

4.0. -8. 4.4.0. -8.4.4, -8, -4. 0.-4. 8. -4. -8, 0,4, 0,4, -8, -4, -8, -4) 

WH:  (O.O.O.O.O.O.0. 0,0, 0,0, 0,-16, 0,0. 16. 8. 8. 0.0. 8, 8, 0,0, 0,0, -8, -8, 0,-16. 8. -8. -8. 0.0. 8. 8. 0,0, -8, 

-8, 0.16. -8. -8. 0.16. -8. -8. 16, 8, 0,8, -16. 8. 16.0. -8. 0.-8. 16, 8, 16, 8) 

h 

W:  (32, 0,0, 0,-2, -2, 2, 2, -6, 2, 2, 2, 0,0, -4,4, 0,0, 4, -4, -2, -10, -2, -2, -2, -2, 2, 2, -4, -4, -4, -4, 0,0, 0,0, 

2, 2, -2, -2, -2, 6, 6, -10, -8, 8, -4, 4, 4,4, -8, 0,-10, -2, -2, -2, -2, -2, 2, 2,0,0, 8, 8) 

WH:  (0,0,0,0,4, 4, -4, -4, 12, -4, -4, -4, 0,0, 8, -8, 0,0, -8, 8, 4,20,4, 4, 4, 4, -4, -4, 8, 8, 8, 8, 0,0, 0,0, 

_  4, -4, 4^4^4^_  12, -12, 20, 16, -16, 8, -8, -8, -8, 16,0, 20,4,4, 4,4,4, -4, -4, 0,0, -16, -16) 

U 

W:  (32, 0,0, 0,2, 2. -2. -2, 2, -2, -2, 2, -4, 0.-4. 8. 2. 2. 2, 2, 8, 0,-4, 4, 0,4, 4, 0,6, -6, 6, 

2. -2. 2. -2. 2.0, -4,4, 0,8, 0,4,4, 2, -6, -6, -6, -4, 0,4, 8. 2. 6. 6. -6. -6. -6. 6, -2, 0,-8, 0,0) 

WH:  (O.O.O.O. -4. -4.4.4. -4.4.4, -4, 8. 0.8, -16, -4, -4, -4, -4, -16, 0.8. -8.0. -8. -8.0. -12. 12, -12, 

-4,4,-4,4,-4,0,8,-8,0,-16,0,-8,-8,-4, 12,12, 12,8,0,-8,-16,-4,-12,-12,12,12, 12,-12,4,0, 16,0,0) 

Table  6.9:  Walsh  Spectra  and  Walsh-Hadamard  Spectra  of  S-Box  2  BFs. 


Function 

Cayley  Graph  Spectra  (Ai  <  A2  <  <  A„) 

Distinct  A, 

/i 

/  -12  -6  -4  -2  0  2  4  6  8  10  32  \ 

\  \  3  7  10  16  12  4  6  3  1  1  J 

11 

fi 

/  -8  -4  0  4  8  32  \ 
y  7  12  29  12  3  1  y 

6 

h 

^  -10  -8  -6  -4  -2  0  2  4  6  8  32  \ 

^  3  2  1  7  15  14  11  5  2  3  1  y 

11 

U 

/  -8  -6  -4  -2  0  2  4  6  8  32  \ 

\  1  7  5  7  14  13  754iy 

10 

Table  6.10:  Cayley  Graph  Spectra  of  S-Box  2  BFs. 


106 


Function 

Laplacian  Spectra  (/ii  <  /i2  <  <  l^n) 

/i 

y  0  22  24  26  28  30  32  34  36  38  44  \ 

3  6  4  12  16  10  7  3  1  ) 

fi 

/  0  24  28  32  36  40  \ 

\  \  3  12  29  12  7  y 

h 

y  0  24  26  28  30  32  34  36  38  40  42  \ 

{1  2  3  5  11  14  15  7  1  2  3  J 

U 

/  0  24  26  28  30  32  34  36  38  40  \ 

yi4  5  7  13  14  7  5  7  1  J 

Table  6.11:  Laplacian  Spectra  of  Cayley  Graphs  Associated  with  S-Box  2  BFs. 


Crypto  Property 

/i 

h 

fs 

/4 

Degree 

5 

4 

5 

5 

Balanced 

Yes 

Yes 

Yes 

Yes 

Weight 

32 

32 

32 

32 

Nonlinearity 

20 

24 

22 

24 

Algebraic  Immunity 

3 

3 

3 

3 

Correlation  Immunity  Order 

0 

0 

0 

0 

Resiliency  Order 

0 

0 

0 

0 

Table  6.12:  Cryptographic  Properties  of  S-Box  2  BFs. 


Figure  6.2  represents  the  Cayley  graph  for  the  second  row  BF.  Since  all  of  these  Cayley 
graphs  are  32-regular,  we  omit  the  remaining  graphical  representations  from  this  thesis. 
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Figure  6.2:  Cayley  Graph  Representation  for  /2  of  S-Box  1. 
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Spectral  Observations 

We  deviate  here  for  the  seeond  S-Box  and  present  the  results  in  table  format  without  bounds 
where  appropriate. 


Graph  Parameter 

T/: 

l-H 

r/3 

r/4 

Regularity;  deg 

Yes;  32 

Yes;  32 

Yes;  32 

Yes;  32 

Connected;  ^(F /) 

Yes;  1 

Yes;  1 

Yes;  1 

Yes;  1 

Bipartite 

No 

No 

No 

No 

Rank(Ay;) 

48 

35 

50 

50 

Diameter 

2 

2 

2 

2 

Spanning  Trees;  T(r j) 

2.2642  X  10*^2 

1.7368  X  10^3 

1.8851  X  10^3 

2.2737  X  10*^2 

Clique  Number 

8 

8 

8 

8 

Independence  Number 

8 

8 

8 

8 

Chromatic  Number 

8 

8 

8 

8 

Table  6.13:  Properties  of  Cayley  Graphs  Assoeiated  with  S-Box  2  BFs. 


6.2.3  S-Box  3 

S-Box  3  is  displayed  in  Table  6.14. 


S-Box  3 

ROW/COL 

0000 

0001 

0010 

0011 

0100 

0101 

0110 

0111 

00 

1010 

0000 

1001 

1110 

0110 

0011 

nil 

0101 

01 

1101 

0111 

0000 

1001 

0011 

0100 

0110 

1010 

10 

1101 

0110 

0100 

1001 

1000 

nil 

0011 

0000 

11 

0001 

1010 

1101 

0000 

0110 

1001 

1000 

0111 

ROW/COL 

1000 

1001 

1010 

1011 

1100 

1101 

1110 

nil 

00 

0001 

1101 

1100 

0111 

1011 

0100 

0010 

1000 

01 

0010 

1000 

0101 

1110 

1100 

1011 

nil 

0001 

10 

1011 

0001 

0010 

1100 

0101 

1010 

1110 

0111 

11 

0100 

nil 

1110 

0011 

1011 

0101 

0010 

1100 

Table  6.14:  S-Box  3  in  Binary  Form. 
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The  BFs  in  S-Box  3  are  converted  to  their  ANFs  in  Table  6.15.  Tables  6.16,  6.17,  6.18,  and 
6.19  follow  in  the  same  manner  as  before. 


Function 

ANF 

Number  of  Terms 

Degree 

/i 

1  ©  ©  X3  ©  X5  ©  ©  XiX3  ©  X2X4  © 

X3X4  ©  X2X5  ©  X3X5  ©  X4X5  ©  XlX(,  ©  X4X6  © 

X2X3X4  ®X  1X4X5  ®XlX2X(,  ©X1X3X6  ©X2X3X6  © 

X3X4X6  ©X1X5V6  ©X2X5V6  ©X3X5X6  ©X4X5V6  © 

X1X2X3X4  ©X2X3X4X5  ©V1X2X4V6  (BXiX3X4X(,  © 

X2X3X5X(,  (B  X1X2X3X4X5  ©X1X2X4X5X6 

30 

5 

fi 

1  ©  X2  ©  X3  ©  X4  ©  X5  ©  ©  X1X2  ©  X1X3  © 

X2X4  ©X3X5  ©X4X5  ©X4X6  (BX1X2X4  ©X2X3X4  © 

X1X2X5  (BX2X3X5  ©X1JC4V5  ©X2X4V5  ©JC3JC4V5  © 

XiX4X(i  ©  X4X5X^  ©  X1X2X3X5  ©  X1X2X4X5  © 

X1X3X4V5  ©X2X3V4X5  ©X2X3X4X6  ©X2X4X5X6  © 

XiX2X3X4.r5  ©X1JC2X3JC4V6 

29 

5 

h 

1  ©  X2  ©  X3  ©  X4  ©  X1JC2  ©  X1X3  ©  JC1X4  ©  X2X4  © 

X\X5  ©  X3X5  ©  XiXe  ©  X2Xe  ©  X5X6  ©  X1X2X3  © 

X1X3X4  ©X2X3X4  ©X2X3X5  ©X2X4V5  ©X1X5X6  © 

X3X5X(,  ©  X1X2X4X5  ©  JC2X3JC4X5  ©  X1JC2X3X6  © 

X2X3X4V6  ©X1X2X5X6  ©X1X3X5V6  ©X2X3X5X6  © 

XiX2X3V4.r5  ©X1X2X3X4X6 

29 

5 

h 

X3  ©  X4  ©  X1X2  ©  X1X3  ©  X2X4  ©  X1X5  ©  X2X5  © 

XlX(,  ©  X5X6  ©  X1JC2X3  ©  X1X3X4  ©  X2X3X4  © 

X1X2X5  ©  X1X3X5  ©  X2X4X5  ©  XlX4X(,  © 

X2X4X(,  ©  X1X5X6  ©  X2X5X(,  ©  X1X2X3X5  © 

X1X2X4V5  ©X1X3V4X5  (BX2X3X4X5  ©X1X2X5X6  © 

X1X2X3X5X6  ©XiJC2X4.r5X6 

26 

5 

Table  6.15:  ANF  and  Degree  of  S-Box  3  BFs. 
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Function 

Walsh  Spectra  and  Walsh-Hadamard  Spectra 

/i 

W:  (32, 0,0, 0,2, 6, -2, 2, -4, 0,-4, 0.2. 2. -2. -2. 0.0, 4, 4, -6, -2, 2, 6, -4, 0,0, 4, 2, 2, -6, -6, 

2. 2. -2. -2.4.0,4, 0,-6, 6, -2, -6, 0,0, 8, -8, -6, 10,2.2.4.0. -8. 4, 2, -2, 2, -2, 8, 8, 4,4) 

WH:  (0,0, 0,0, -4, -12, 4, -4, 8, 0.8. 0,-4, -4, 4, 4, 0,0, -8, -8. 12, 4, -4, -12, 8, 0,0, -8, -4, -4, 12, 12, 

-4, -4^4,4, -8.0, -8.0, 12, -12,4, 12,0,0, -16, 16, 12, -20, -4, -4, -8,0, 16, -8, -4,4, -4,4, -16, -16, -8, -8) 

h 

W:  (32, 0,0, 0,0, -4,0, -4,0, 0,0.0. 0.4. 0,4, -2, -2, 2, 2, -6, -2, -2, 2, 2, 2, -2, -2, 6,2, 2. -2, -2. -2, -2. 

-2,-2,2,-2,2,6,-10,-2,-2,6,2,-2, 10,4,-4,0,8,0,4, 12,0.8,0,4,-4,-4,-8,8,4) 

WH:  (0.0.0.0.0,8,0,8,0,0,0,0,0,-8,0,-8,4,4.-4.-4.12.4,4,-4,-4,-4,4,4,-12,-4,-4,4,4,4,4, 

4,4, -4,4, -4, -12, 20,4,4, -12, -4, 4, -20, -8, 8,0, -16,0, -8, -24, 0,-16, 0,-8, 8, 8, 16, -16, -8) 

h 

W:  (32, 0,0, 0,0, 0,0, 0,4.0. 0.4. 0,-4, 4, 8, -2, -2, 2, 2, 2, 2, -2, -2, 2. -2, -6, -2, 10, 6. 2. 6. 

-2, -2, 2. 2. -2. -2. 2. 2. 6, 2, 6, -6, -6, 6, 2, 6,4, -4,4, -4, 0,-8, 8,0. -4.0.0. -4.4. -8. -8. 4) 

WH:  (0.0.0.0.0.0.0.0,-8,0,0,-8,0,8,-8,-16,4,4.-4.-4.-4.-4.4.4.-4.4.12.4.-20,-12,-4,-12, 

4,4,-4,-4,4,4,-4,-4,-12,-4,-12,12, 12,-12,-4,-12,-8,8,-8,8,0, 16,-16,0,8,0,0,8,-8,16,16,-8) 

U 

W:  (32, 0,0, 0,-2, 2, 2. -2. 2. -2. -2. 2. -4. -4. -4. -4.0.0. 0.0. 2, -10, 6, 2, -2, 2, 2, -2, -12. -4. -4.4. -4.0.0. 

4. 2. -6. 2, 2, -2, 6, -2, -2, 0,-4, -4, -8, -4, 0,0,4, 6, -2, -10, 6, 2.2. -6. 2.0.4,4, 8) 

WH:  (0,0, 0,0, 4, -4, -4, 4, -4, 4, 4, -4, 8, 8, 8, 8, 0,0, 0,0, -4, 20, -12, -4, 4, -4, -4, 4, 24, 8, 8, -8, 8, 0,0, 

-8, -4, 12, -4, -4,4, -12, 4, 4, 0,8. 8, 16, 8, 0,0, -8, -12,4, 20, -12, -4, -4, 12, -4, 0,-8, -8, -16) 

Table  6.16:  Walsh  Spectra  and  Walsh-Hadamard  Spectra  of  S-Box  3  BFs. 


Function 


Cayley  Graph  Spectra  (Ai  <  A2  <  <  A„) 


Distinct  A, 


/i 


0  2  4  6  8  10  32 

14  13  9  3  3  1  1 


11 


/2 


-10  -8  -6  -4  -2  0  2  4  6  8  10  12  32 

1  1  1  5  16  15  10  6  3  3  1  1  1 


13 


fs 


-8  -6  -4  -2  0  2  4  6  8  10  32 
3  3  5  10  14  12  7  6  2  1  1 


11 


/4 


-12  -10  -8  -6  -4  -2  0  2  4  6  8  32 

1  2  1  2  10  10  13  14  5  4  1  1 


12 


Table  6.17:  Cayley  Graph  Spectra  of  S-Box  3  BFs. 


Ill 


Table  6.18:  Laplacian  Spectra  of  Cayley  Graphs  Associated  with  S-Box  3  BFs. 


Crypto  Property 

/i 

h 

/s 

/4 

Degree 

5 

5 

5 

5 

Balanced 

Yes 

Yes 

Yes 

Yes 

Weight 

32 

32 

32 

32 

Nonlinearity 

22 

20 

22 

20 

Algebraic  Immunity 

3 

3 

3 

3 

Correlation  Immunity  Order 

0 

0 

0 

0 

Resiliency  Order 

0 

0 

0 

0 

Table  6.19:  Cryptographic  Properties  of  S-Box  3  BFs. 


Spectral  Observations 

Table  6.20  depicts  the  relevant  properties  of  the  Cayley  graphs  associated  with  the  S-Box  3 
BFs. 
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Graph  Parameter 

T/. 

T/, 

r/3 

r/4 

Regularity;  deg 

Yes;  32 

Yes;  32 

Yes;  32 

Yes;  32 

Connected;  ^(F /) 

Yes;  1 

Yes;  1 

Yes;  1 

Yes;  1 

Bipartite 

No 

No 

No 

No 

Rank(Ay;) 

50 

49 

50 

51 

Diameter 

2 

2 

2 

2 

Spanning  Trees;  T(r/) 

2.2695  X  10^2 

2.2106  X  10*^2 

2.2699  X  10^2 

1.761  X  10^3 

Clique  Number 

8 

8 

8 

8 

Independence  Number 

8 

8 

8 

8 

Chromatic  Number 

8 

8 

8 

8 

Table  6.20:  Properties  of  Cayley  Graphs  Assoeiated  with  S-Box  3  BFs. 


6.2.4  S-Box  4 

S-Box  4  is  displayed  in  Table  6.21. 


S-Box  4 

ROW/COL 

0000 

0001 

0010 

0011 

0100 

0101 

0110 

0111 

00 

0111 

1101 

1110 

0011 

0000 

0110 

1001 

1010 

01 

1101 

1000 

1011 

0101 

0110 

nil 

0000 

0011 

10 

1010 

0110 

1001 

0000 

1100 

1011 

0111 

1101 

11 

0011 

nil 

0000 

0110 

1010 

0001 

1101 

1000 

ROW/COL 

1000 

1001 

1010 

1011 

1100 

1101 

1110 

nil 

00 

0001 

0010 

1000 

0101 

1011 

1100 

0100 

nil 

01 

0100 

0111 

0010 

1100 

0001 

1010 

1110 

1001 

10 

nil 

0001 

0011 

1110 

0101 

0010 

1000 

0100 

11 

1001 

0100 

0101 

1011 

1100 

0111 

0010 

1110 

Table  6.21:  S-Box  4  in  Binary  Form. 


Table  6.22  lists  the  ANFs  for  the  BFs  of  S-Box  4. 
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Function 

ANF 

Number  of  Terms 

Degree 

/i 

Xl  ©  X2  ©  X3  ©  X4  ©  XlX2  ©  X1X3  ©  X1X4  © 

X2X4  ©  X1X5  ©  X2X5  ©  X3X5  ©  XlXg  ©  X2X6  © 

X3X6  ©  X5X6  ©  X1X3X4  ©  X2X3X4  ©  X1X2X5  © 

X2X3X5  ©X1X3X6  ©X2X3X6  ©X3X4X6  ©X2X5X6  © 

X3X5X6  ©  X1X2X3X4  ©  X2X3X4X5  ©  X1X3X4X6  © 

X2X3X4X6  ©X1X2X5X6  ©X1X3X5X6  ©X2X3X5X6  © 

X1X4X5X6  ©  X2X4X5X6  ©  X1X2X3X4X5  © 

X1X2X3X5X6 

35 

5 

h 

1  ©X2  ©X5  ©Xg  ©X1X2  ©X1X3  ©X1X4  ©X2X4  © 

X3X4  ©  X1X5  ©  X3X5  ©  XlXg  ©  X2X6  ©  X5X6  © 

X1X3X4  ©X1X2X5  ©X2X3X5  ©X1X3X6  ©X2X3X6  © 

X4X5X6  ©  X1X2X3X4  ©  X1X3X4X6  ©  X2X3X4X6  © 

X1X2X5X6  ©X1X3X5X6  ©X1X4X5X6  ©X2X4X5X6  © 

X1X2X3X4X5  ©X1X2X3X5X6 

29 

5 

h 

1  ©  Xl  ©  X3  ©  X2X3  ©  X2X4  ©  X1X5  ©  X2X5  © 

X3X5  ©  X4X5  ©  XlXg  ©  X4X6  ©  X5X6  ©  X1X3X4  © 

X1X3X5  ©X1X4X5  ©X2X4X5  ©X3X4X5  ©X2X3X6  © 

X2X5X6  ©  X4X5X6  ©  X1X2X3X5  ©  X1X2X4X5  © 

X1X3X4X5  ©X2X3X4X5  ©X1X2X3X6  ©X1X3X4X6  © 

X2X3X4X6  ©X2X3X5X6  ©X1X4X5X6  ©X2X4X5X6  © 

X1X2X3X4X5  ©X1X2X3X5X6 

32 

5 

fA 

X2  ©  X3  ©  X5  ©  Xg  ©  X2X3  ©  X2X4  ©  X3X4  © 

X1X5  ©  X2X5  ©  XiXg  ©  X4Xg  ©  XgXg  ©  X1X3X4  © 

X1X3X5  ©X2X3X5  ©X1X4X5  ©X3X4Xg  ©X2X5Xg  © 

X1X2X3X5  ©X1X2X4X5  ©X1X3X4X5  ©XlX2X3Xg  © 

XiX3X4Xg  ©X2X3X4Xg  ©XiX4X5Xg  ©X2X4X5Xg  © 

X1X2X3X4X5  ©XlX2X3X5Xg 

28 

5 

Table  6.22:  ANF  and  Degree  of  S-Box  4  BFs. 


Figure  6.3  displays  the  Walsh-Hadamard  speetra  of  the  S-Box  4  BFs  obtained  from  R®.  It 
is  assumed  that  the  reader  ean  easily  eompute  the  Walsh  speetra  via  the  relation  in  Equa¬ 
tion  4.16. 
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>  whCs4rl) 


[1] 

0 

0 

0 

0 

[20] 

0 

-8 

-8 

-8 

[39] 

-4 

4 

0 

16 

[58]  0 

>  wh(s4r2) 

-8 

-16 

-8 

[1] 

0 

0 

0 

0 

[20] 

0 

-8 

-8 

8 

[39] 

-4 

-4 

-8 

-8 

[58]  -8 

>  wh(s4r3) 

0 

-8 

0 

8 

0 

0 

-8 

4 

8 

-4 

4 

4 

-4 

-8 

8 

16 

-8 

0 

-8 

16 

0 

8 

0 

0 

8 

-4 

-8 

4 

4 

-4 

-4 

-16 

0 

-8 

0 

8 

16 

8 

-8 

4 

4 

4 

-4 

4 

4 

20 

4 

4 

-4 

8 

-20 

4 

-4 

4 

4 

-4 

4 

4 

20 

-4 

4 

-20 

4 

-4 

16 

-4 

-4 

-4 

-20 

20 

-4 

0 

8 

8 

-4 

4 

4 

-4 

4 

-4 

-4 

4 

20 

-8 

-4 

-4 

0 

8 

-8 

4 
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-4 

-4 

-4 

-20 

4 

4 

-4 

16 

[1] 
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0 

0 

0 
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0 

-8 

-8 

8 
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-4 

4 

0 

-16 
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8 

16 

8 
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0 

0 

0 

0 
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0 
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8 

8 
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-8 

-8 
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-8 

0 

-8 

0 
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-8 

-4 

4 

-4 

4 

-8 

8 
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-8 

0 

8 

16 

0 

8 

0 

0 

-8 

-4 

-8 

-4 

-4 

-4 

-4 

16 

0 
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0 

8 

16 

-8 
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-4 
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4 
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-4 
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-4 
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20 

-4 
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-4 
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Figure  6.3:  Walsh-Hadamard  Spectra  of  S-Box  4  BFs. 


Tables  6.23,  6.24,  and  6.25  follow  in  the  same  manner  as  before. 


Function 


Cayley  Graph  Spectra  (Ai  <  A2  <  ■  •  •  <  A„) 


Distinct  A, 


/i 

fi 


-10  -8  -4  -2  0  2  4  8  10  32 

3  3  6  17  11  11  10  1  1  1 

-10  -8  -4  -2  0  2  4  8  10  32 

1  3  6  11  11  17  10  1  3  1 


10 

10 


h 


-10  -8  -4  -2  0  2  4  8  10  32 

1  3  6  11  11  17  10  1  3  1 


10 


/4 


-10  -8  -4  -2  0  2  4  8  10  32 

3  3  10  9  11  19  6  1  1  1 


10 


Table  6.23:  Cayley  Graph  Spectra  of  S-Box  4  BFs. 
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Table  6.24:  Laplacian  Spectra  of  Cayley  Graphs  Associated  with  S-Box  4  BFs. 


Crypto  Property 

/i 

/2 

h 

/4 

Degree 

5 

5 

5 

5 

Balanced 

Yes 

Yes 

Yes 

Yes 

Weight 

32 

32 

32 

32 

Nonlinearity 

22 

22 

22 

22 

Algebraic  Immunity 

3 

3 

3 

3 

Correlation  Immunity  Order 

0 

0 

0 

0 

Resiliency  Order 

0 

0 

0 

0 

Table  6.25:  Cryptographic  Properties  of  S-Box  4  BFs. 


Spectral  Observations 

Table  6.26  depicts  the  relevant  properties  of  the  Cayley  graphs  associated  with  the  S-Box  4 
BFs. 
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Graph  Parameter 

T/r 

T/, 

r/3 

r/4 

Regularity;  deg 

Yes;  32 

Yes;  32 

Yes;  32 

Yes;  32 

Connected;  ^(F /) 

Yes;  1 

Yes;  1 

Yes;  1 

Yes;  1 

Bipartite 

No 

No 

No 

No 

Rank(Ay;) 

53 

53 

53 

53 

Diameter 

2 

2 

2 

2 

Spanning  Trees;  T(r /) 

1.7454  X  10^3 

2.26  X  10^2 

2.26  X  10^2 

1.7523  X  10^3 

Clique  Number 

8 

8 

8 

8 

Independence  Number 

8 

8 

8 

8 

Chromatic  Number 

8 

8 

8 

8 

Table  6.26:  Properties  of  Cayley  Graphs  Assoeiated  with  S-Box  4  BFs. 


6.2.5  S-Box  5 

S-Box  5  is  displayed  in  Table  6.27. 


S-Box  5 

ROW/COL 

0000 

0001 

0010 

0011 

0100 

0101 

0110 

0111 

00 

0010 

1100 

0100 

0001 

0111 

1010 

1011 

0110 

01 

1110 

1011 

0010 

1100 

0100 

0111 

1101 

0001 

10 

0100 

0010 

0001 

1011 

1010 

1101 

0111 

1000 

11 

1011 

1000 

1100 

0111 

0001 

1110 

0010 

1101 

ROW/COL 

1000 

1001 

1010 

1011 

1100 

1101 

1110 

nil 

00 

1000 

0101 

0011 

nil 

1101 

0000 

1110 

1001 

01 

0101 

0000 

nil 

1010 

0011 

1001 

1000 

0110 

10 

nil 

1001 

1100 

0101 

0110 

0011 

0000 

1110 

11 

0110 

nil 

0000 

1001 

1010 

0100 

0101 

0011 

Table  6.27:  S-Box  5  in  Binary  Form. 


Table  6.28  lists  the  ANFs  for  the  BFs  of  S-Box  5. 
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Function 

ANF 

Number  of  Terms 

Degree 

/i 

X2  ©  X3  ©  ©  XiX2  ©  X1X4  ©  X2X4  ©  X3X4  © 

X1X5  ©  X4X5  ©  XlXf,  ©  X4X6  ©  X1X2X3  © 

XIX3X4  ©X2X3X5  ©X1X4X5  ©X3X4X5  ©X2X3X6  © 

X2X4X(,  ©  X3X4X6  ©  JC1X2X3X4  ©  X1X3X4XS  © 

X1X2X4X6  ©X1X3X4X6  ©X2X3X5X6  ©X2X4X5X6  © 

X1X2X3X4X5  ©X1X2X4X5X6 

27 

5 

fi 

1  ©  X4  ©  X5  ©  ©  X1X2  ©  X1X3  ©  X2X4  © 

X3X4  ©X1JC5  ©X1X6  ©X5X6  ©X1JC3X4  ©JC1X3JC5  © 

X2X3X5  ©X1X4X5  ©X1X2X6  ©X1X4X6  ©X2X4X6  © 

X3X4X6  ©  X2X5X6  ©  X3X5X6  ©  X1X2X3X4  © 

X1X3X4X5  ©X1JC3X4X6  ©X1JC3X5X6  ©X2X3X5JC6  © 

X1X4X5X6  ©  X1X2X3X4X5  ©  X1X2X3X4X6  © 

X1X2X4X5X6 

30 

5 

h 

Xl  ©  X5  ©  X6  ©  X1X2  ©  X1X3  ©  X2X3  © 

X1X4  ©  X3X4  ©  X4X5  ©  XlX6  ©  X2X3X4  © 

X1X2X3  ©  X1X4X5  ©  X2X4X5  ©  XlX2X(,  © 

XlX4X(,  ©  X2X4X(,  ©  X1X5X6  ©  X2X5X6  © 

X4X5X6  ©  X1X2X3X5  ©  X1X2X4X5  ©  X1X3X4X5  © 

X2X3X4X6  ©X1X2X5X6  ©X2X3X5X6  ©X2X4X5X6  © 

X1X2X3X4X5  ©X1X2X3X5X6  ©X1X2X4X5X6 

30 

5 

/4 

1  ©  Xl  ©  X5  ©  X6  ©  X1X2  ©  X2X3  ©  X1X4  © 

X2X4  ©  X3X4  ©  X1X5  ©  X3X5  ©  X2Xe  ©  X3X6  © 

X1X2X4  ©X1X3X4  ©X2X3X4  ©X2X3X5  ©X1X4X5  © 

X3X4X3  ®XiX2X(,  ©X1X3X6  ©X3X4X6  ©X1X5X6  © 

X2X5X6  ©  X3X5X6  ©  X4X5X6  ©  X1X2X3X4  © 

X1X2X4X5  ©X1X3X4X5  ©X2X3X4X5  ©X1X2X4X6  © 

X1X3X4X6  ©  X2X3X4X6  ©X1X3X5X6  ©X2X4X5X6  © 

X1X2X3X4X5  ©  X1X2X3X4X6  ©  X1X2X3X5X6  © 

X1X2X4X5X6 

39 

5 

Table  6.28:  ANF  and  Degree  of  S-Box  5  BFs. 
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Figure  6.4  displays  the  Walsh-Hadamard  spectra  of  the  S-Box  5  BFs  obtained  from  R®.  It 
is  again  assumed  that  the  reader  can  compute  the  Walsh  spectra  via  the  relation  in  Equa¬ 
tion  4.16. 


>  whCsSrl) 
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Figure  6.4:  Walsh-Hadamard  Spectra  of  S-Box  5  BFs. 


Tables  6.29,  6.30,  and  6.31  follow  in  the  same  manner  as  before. 


Function 

Cayley  Graph  Spectra  (Ai  <  A2  <  ■  •  •  <  A„) 

Distinct  A, 

/[ 

/  -10  -8  -6  -4  -2  0  2  4  6  8  10  32  \ 

\  1  4  2  7  15  14  95411  1  J 

12 

/2 

/  -6  -4  -2  0  2  4  6  8  32  \ 

\  5  9  11  10  11  7  5  5  1  y 

9 

h 

/  -8  -6  -4  -2  0  2  4  6  8  32  \ 
y  4  5  9  11  10  11  7  5  1  1  y 

10 

/4 

( 

^  -10  -8  -6  -4  -2  0  2  4  6  8  10  32  \ 

^1  2  3  6  6  15  16  6521  iy 

12 

Table  6.29:  Cayley  Graph  Spectra  of  S-Box  5  BFs. 
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Function 

Laplacian  Spectra  (jui  <  JU2  <  ■  ■  ■  <  ]u„) 

/i 

0  22  24  26  28  30  32  34  36  38  40  42  \ 

1^11  1  45  9  14  15  7  24  iy 

h 

/  0  24  26  28  30  32  34  36  38  \ 

\  1  5  5  7  11  10  11  9  5  J 

h 

/  0  24  26  28  30  32  34  36  38  40  \ 

Y  1  1  5  7  11  10  11  9  5  4  j 

/4 

0  22  24  26  28  30  32  34  36  38  40  42  \ 

1^11  2  5  6  16  15  6  6  3  2  1  J 

Table  6.30:  Laplacian  Spectra  of  Cayley  Graphs  Associated  with  S-Box  5  BFs. 


Crypto  Property 

A 

/2 

fs 

/4 

Degree 

5 

5 

5 

5 

Balanced 

Yes 

Yes 

Yes 

Yes 

Weight 

32 

32 

32 

32 

Nonlinearity 

22 

24 

24 

22 

Algebraic  Immunity 

3 

3 

3 

3 

Correlation  Immunity  Order 

0 

0 

0 

0 

Resiliency  Order 

0 

0 

0 

0 

Table  6.31:  Cryptographic  Properties  of  S-Box  5  BFs. 


Spectral  Observations 

Table  6.32  depicts  the  relevant  properties  of  the  Cayley  graphs  associated  with  the  S-Box  5 
BFs. 


120 


Graph  Parameter 

T/. 

T/, 

r/3 

r/4 

Regularity;  deg 

Yes;  32 

Yes;  32 

Yes;  32 

Yes;  32 

Connected;  ^(F /) 

Yes;  1 

Yes;  1 

Yes;  1 

Yes;  1 

Bipartite 

No 

No 

No 

No 

Rank(Ay;) 

50 

54 

54 

49 

Diameter 

2 

2 

2 

2 

Spanning  Trees;  T(r/) 

1.7206  X  1 0*^3 

2.2469  X  10*^2 

1.7337  X  10^3 

2.286  X  10^2 

Clique  Number 

8 

8 

8 

8 

Independence  Number 

8 

8 

8 

8 

Chromatic  Number 

8 

8 

8 

8 

Table  6.32:  Properties  of  Cayley  Graphs  Assoeiated  with  S-Box  5  BFs. 


6.2.6  S-Box  6 

S-Box  6  is  displayed  in  Table  6.33. 


S-Box  6 

ROW/COL 

0000 

0001 

0010 

0011 

0100 

0101 

0110 

0111 

00 

1100 

0001 

1010 

nil 

1001 

0010 

0110 

1000 

01 

1010 

nil 

0100 

0010 

0111 

1100 

1001 

0101 

10 

1001 

1110 

nil 

0101 

0010 

1000 

1100 

0011 

11 

0100 

0011 

0010 

1100 

1001 

0101 

nil 

1010 

ROW/COL 

1000 

1001 

1010 

1011 

1100 

1101 

1110 

nil 

00 

0000 

1101 

0011 

0100 

1110 

0111 

0101 

1011 

01 

0110 

0001 

1101 

1110 

0000 

1011 

0011 

1000 

10 

0111 

0000 

0100 

1010 

0001 

1101 

1011 

0110 

11 

1011 

1110 

0001 

0111 

0110 

0000 

1000 

1101 

Table  6.33:  S-Box  6  in  Binary  Form. 


Table  6.34  lists  the  ANFs  for  the  BFs  of  S-Box  6. 


121 


Function 

ANF 

Number  of  Terms 

Degree 

/i 

1  ©  X2  ©  X3  ©  ©  X2X3  ©  X 1X4  ©  X2X4  ©  X3X4  © 

4:1X5  ©X4X5  ©X2X6  ©X5X6  ©X1X2X3  ©X1X3X4  © 

X2X3X4  ©X1X3X5  ©X2X3X5  ©X1X4X5  ©X2X4X5  © 

X3X4X5  ©  X1X4X6  ©  X1X5X6  ©  X1X2X3X4  © 

X2X3X4X5  ©  X2X3X4X6  ©X1X2X5X6  ©X2X3X5X6  © 

X1X2X3X4X5  ©  X1X2X3X4X6  ©  X1X2X3X5X6  © 

X1X2X4X5X6 

31 

5 

fi 

1  ©  Xi  ©  X4  ©  X5  ©  X6  ©  X1X3  ©  X2X5  ©  X3X5  © 

X2X6  ©  X5X6  ©  X1X2X4  ©  X2X3X4  ©  X1X2X5  © 

X2X3X6  ©  X1X4X6  ©  X1X5X6  ©  X4X5X6  © 

X1X2X3X5  ©X1X3X4X5  ©X1X2X3X6  ©X1X3X4X6  © 

X2X3X4X6  ©X1X2X5X6  ©X2X3X5X6  ©X1X4X5X6  © 

X2X4X5X6  ©  X1X2X3X4X5  ©  X1X2X3X4X6  © 

X1X2X3X5X6  ©X1X2X4X5X6 

30 

5 

h 

1  ©  Xl  ©  X2  ©  X5  ©  X6  ©  X1X3  ©  X2X3  ©  X1X4  © 

X2X4  ©  X3X4  ©  X1X5  ©  X3X5  ©  X4X5  ©  X5X6  © 

X1X2X3  ©X2X3X4  ©X1X2X5  ©X2X3X5  ©X1X4X5  © 

X2X4X5  ©X3X4X5  ©X1X2X6  ©X1X4X6  ©X2X5X6  © 

X1X2X3X4  ©X1X2X3X5  ©X1X2X4X5  ©X1X3X4X5  © 

X2X3X4X5  ©X1X3X4X6  ©X1X2X5X6  ©X1X3X5X6  © 

X2X3X5X6  ©  X1X2X3X4X5  ©  X1X2X3X4X6  © 

X1X2X4X5X6 

36 

5 

f4 

Xi  ©  X5  ©  X6  ©  X1X2  ©  X1X3  ©  X2X3  ©  X1X4  © 

X2X4  ©  X3X4  ©  X2X5  ©  X3X5  ©  X4X6  ©  X 1X2X3  © 

X1X3X4  ©X2X3X4  ©X1X2X5  ©X1X3X5  ©X2X3X6  © 

X2X4X6  ©  X3X4X6  ©  X3X5X6  ©  X1X2X3X5  © 

X1X2X3X6  ©X1X3X4X6  ©X1X3X5X6  ©X2X3X5X6  © 

X1X4X5X6  ©X1X2X3X5X6  ©X1X2X4X5X6 

29 

5 

Table  6.34:  ANF  and  Degree  of  S-Box  6  BFs. 
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Figure  6.5  displays  the  Walsh-Hadamard  spectra  of  the  S-Box  6  BFs  obtained  from  R®.  It 
is  again  assumed  that  the  reader  can  compute  the  Walsh  spectra  via  the  relation  in  Equa¬ 
tion  4.16. 


>  wh(s6rl) 
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Figure  6.5:  Walsh-Hadamard  Spectra  of  S-Box  6  BFs. 


Tables  6.35,  6.36,  and  6.37  follow  in  the  same  manner  as  before. 


Table  6.35:  Cayley  Graph  Spectra  of  S-Box  6  BFs. 


123 


Function 

Laplacian  Spectra  (/ii  <  /i2  <  <  l^n) 

/i 

0  22  24  26  28  30  32  34  36  38  42  ^ 

4  3  8  12  11  12  8  3  \  J 

fi 

/  0  22  24  26  28  30  32  34  36  38  40  42  \ 

y  1  1  4  2  8  13  13  13  4  2  2  \  ) 

h 

0  22  24  26  28  30  32  34  36  38  42  ^ 

1  2  2  2  10  12  13  12  6  2  2  J 

f4 

0  24  26  28  30  32  34  36  38  40  42  ^ 

{1  2  3  7  9  14  15  5  3  3  2  J 

Table  6.36:  Laplacian  Spectra  of  Cayley  Graphs  Associated  with  S-Box  6  BFs. 


Crypto  Property 

/i 

h 

/s 

/4 

Degree 

5 

5 

5 

5 

Balanced 

Yes 

Yes 

Yes 

Yes 

Weight 

32 

32 

32 

32 

Nonlinearity 

22 

22 

22 

22 

Algebraic  Immunity 

3 

3 

3 

3 

Correlation  Immunity  Order 

0 

0 

0 

0 

Resiliency  Order 

0 

0 

0 

0 

Table  6.37:  Cryptographic  Properties  of  S-Box  6  BFs. 


Spectral  Observations 

Table  6.38  depicts  the  relevant  properties  of  the  Cayley  graphs  associated  with  the  S-Box  6 
BFs. 
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Graph  Parameter 

T/: 

l-H 

r/3 

r/4 

Regularity;  deg 

Yes;  32 

Yes;  32 

Yes;  32 

Yes;  32 

Connected;  ^(F /) 

Yes;  1 

Yes;  1 

Yes;  1 

Yes;  1 

Bipartite 

No 

No 

No 

No 

Rank(Ay;) 

53 

51 

51 

50 

Diameter 

2 

2 

2 

2 

Spanning  Trees;  T(r j) 

2.2498  X  10*^2 

2.2657  X  10^2 

2.2628  X  10^2 

1.7426  X  1 0*^3 

Clique  Number 

8 

8 

8 

8 

Independence  Number 

8 

8 

8 

8 

Chromatic  Number 

8 

8 

8 

8 

Table  6.38:  Properties  of  Cayley  Graphs  Assoeiated  with  S-Box  6  BFs. 


6.2.7  S-Box  7 

S-Box  7  is  displayed  in  Table  6.39. 


S-Box  7 

ROW/COL 

0000 

0001 

0010 

0011 

0100 

0101 

0110 

0111 

00 

0100 

1011 

0010 

1110 

nil 

0000 

1000 

1101 

01 

1101 

0000 

1011 

0111 

0100 

1001 

0001 

1010 

10 

0001 

0100 

1011 

1101 

1100 

0011 

0111 

1110 

11 

0110 

1011 

1101 

1000 

0001 

0100 

1010 

0111 

ROW/COL 

1000 

1001 

1010 

1011 

1100 

1101 

1110 

nil 

00 

0011 

1100 

1001 

0111 

0101 

1010 

0110 

0001 

01 

1110 

0011 

0101 

1100 

0010 

nil 

1000 

0110 

10 

1010 

nil 

0110 

1000 

0000 

0101 

1001 

0010 

11 

1001 

0101 

0000 

nil 

1110 

0010 

0011 

1100 

Table  6.39:  S-Box  7  in  Binary  Form. 


Table  6.40  lists  the  ANFs  for  the  BFs  of  S-Box  7. 
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Function 

ANF 

Number  of  Terms 

Degree 

/i 

©  X3  ©  X5  ©  X1X2  ©  X1X4  ©  X2X4.  ©  XiXs  © 

XlX(,  ©  X2X(,  ©  X4X(,  ©  X5X6  ©  X2X3X4  © 

X1X2X5  ©X3JC4X5  ®XlX2X(,  ©X2X4X6  ©X2X5X6  © 

X4X5X6  ©  X1X2X4X5  ©  JC1X3JC4X5  ©  X2X3X4X5  © 

X2X3X4X6  ©X1X2X5X6  ©X1X4X5X6  ©X2X4X5X6  © 

X1X2X3X4X6  ©X1X2X4X5X6 

27 

5 

fi 

1  ©  X2  ©  X3  ©  X5  ©  X1X2  ©  X2X3  ©  X1X4  ©  X2X4  © 

X1X5  ©X2X5  ©X2X6  ©X4X6  ©X1JC2X3  ©JC2X4X5  © 

X2X4X6  ©  X1X5X6  ©  X1X2X3X4  ©  X1X3X4X5  © 

X2X3X4X5  ©X1X2X4X6  ©X1X3X4X6  ©X2X4X5X6  © 

X1X2X3X4V5  ©X1JC2X4V5X6 

24 

5 

h 

X4  ©  X5  ©  ©  X1X2  ©  X1X3  ©  JC1X4  ©  X2X3  © 

X3X5  ©  XlX(,  ©  X2X3X4  ©  X1X2X5  ©  X1X3X5  © 

XlX2X(,  ©X1X4X6  ©X2X4X6  ©X3X4X6  ©X1X5X6  © 

X2X5X6  ©  X3X5X6  ©  X1X2X4X5  ©  X1X3X4X5  © 

X1X3X4X6  ©X2X3X4X6  ©X1X2X5X6  ©X1X3X5X6  © 

X1X4X5X6  ©  X1X2X3X4X6  ©X1X2X4X5X6 

28 

5 

/4 

Xl  ©  X2  ©  X3  ©  X4  ©  ©  X2X3  ©  X1X4  ©  X3X4  © 

X1X5  ©  X2X3  ©  X3X5  ©  X1X2X3  ©  X1X2X4  © 

X1X3X4  ©  X2X3X4  ©  X\X2X3  ©  X1X3JC5  © 

X2X3X3  ©  X2X4X6  ©  X3X4X6  ©  X3X5X6  © 

X1X2X3X4  ©X1X2X3X5  ©X1X2X3X6  ©X1X2X4X6  © 

X1X3X4V6  ©X1JC3X5X6  ©X2X3X5X6  ©X1X4X5X6  © 

X1X2X3X4X6  ©X1X2X3X5X6  ©X1X2X4X5X6 

32 

5 

Table  6.40:  ANF  and  Degree  of  S-Box  7  BFs. 


Figure  6.6  displays  the  Walsh-Hadamard  speetra  of  the  S-Box  7  BFs  obtained  from  R®.  It 
is  again  assumed  that  the  reader  ean  eompute  the  Walsh  speetra  via  the  relation  in  Equa¬ 
tion  4.16. 
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>  wh(s7rl) 

[1]  0  0  0  0  4  4  4  4  0  0  0  0  -12  20  4 

[31]  0  16  0  -8  -8  0  4  -4  -4  4  0  8  8  0  -12 

[61]  16  8  -16  -8 

>  wh(s7r2) 


[1]  0  0 

0 

0 

4 

4 

-4 

-4 

0 

0 

0 

0 

-4 

-4 

-12 

[31]  -12  -12 

4 

4 

4 

-12 

-8 

8 

0 

0 

12 

12 

-20 

-4 

-8 

[61]  0  16 
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Figure  6.6:  Walsh-Hadamard  Spectra  of  S-Box  7  BFs. 


Tables  6.41,  6.42,  and  6.43  follow  in  the  same  manner  as  before. 


Function 

Cayley  Graph  Spectra  (Ai  <  A2  <  <  A„) 

Distinct  A, 

/i 

(  -10  -8  -6  -4  -2  0  2  4  6  8  10  32  \ 

[  \  5  1  6  16  13  10  6  3  1  1  1  y 

12 

h 

{  -10  -8  -6  -4  -2  0  2  4  6  8  10  32  \ 

[  \  2  2  4  10  19  12  4522  iy 

12 

h 

/  -8  -6  -4  -2  0  2  4  6  8  32  \ 

\  3  1  9  7  14  13  352iy 

10 

/4 

/  -8  -6  -4  -2  0  2  4  6  8  10  32  \ 

^5  2  7  17  12  95321  \  j 

11 

Table  6.41:  Cayley  Graph  Spectra  of  S-Box  7  BFs. 


Function 

Laplacian  Spectra  (/ii  <  /i2  <  <  /in) 

/i 

0  22  24  26  28  30  32  34  36  38  40  42  \ 

{11  1  3  6  10  13  16  6  1  5  1  y 

fi 

0  22  24  26  28  30  32  34  36  38  40  42  \ 

{1  2  2  5  4  12  19  10  4  2  2  ly 

h 

/  0  24  26  28  30  32  34  36  38  40  \ 

\  1  2  5  3  13  14  7  9  7  3  J 

U 

/  0  22  24  26  28  30  32  34  36  38  40  \ 

yil  2  3  5  9  12  17  7  2  5/ 

Table  6.42:  Laplacian  Spectra  of  Cayley  Graphs  Associated  with  S-Box  7  BFs. 
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Crypto  Property 

/i 

fi 

h 

/4 

Degree 

5 

5 

5 

5 

Balanced 

Yes 

Yes 

Yes 

Yes 

Weight 

32 

32 

32 

32 

Nonlinearity 

22 

22 

24 

22 

Algebraic  Immunity 

3 

3 

3 

3 

Correlation  Immunity  Order 

0 

0 

0 

0 

Resiliency  Order 

0 

0 

0 

0 

Table  6.43:  Cryptographic  Properties  of  S-Box  7  BFs. 


Spectral  Observations 

Table  6.44  depicts  the  relevant  properties  of  the  Cayley  graphs  associated  with  the  S-Box  7 
BFs. 


Graph  Parameter 

T/. 

r/3 

r/4 

Regularity;  deg 

Yes;  32 

Yes;  32 

Yes;  32 

Yes;  32 

Connected;  fc(r f) 

Yes;  1 

Yes;  1 

Yes;  1 

Yes;  1 

Bipartite 

No 

No 

No 

No 

Rank(A^) 

51 

45 

50 

52 

Diameter 

2 

2 

2 

2 

Spanning  Trees;  T(r f) 

1.727  X  10^3 

2.2533  X  10^2 

1.7258  X  10*^3 

1.7076  X  1 0*^3 

Clique  Number 

8 

8 

8 

8 

Independence  Number 

8 

8 

8 

8 

Chromatic  Number 

8 

8 

8 

8 

Table  6.44:  Properties  of  Cayley  Graphs  Associated  with  S-Box  7  BFs. 


6.2.8  S-Box  8 

S-Box  8  is  displayed  in  Table  6.45. 
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S-Box  8 

ROW/COL 

0000 

0001 

0010 

0011 

0100 

0101 

0110 

0111 

00 

1101 

0010 

1000 

0100 

0110 

nil 

1011 

0001 

01 

0001 

nil 

1101 

1000 

1010 

0011 

0111 

0100 

10 

0111 

1011 

0100 

0001 

1001 

1100 

1110 

0010 

11 

0010 

0001 

1110 

0111 

0100 

1010 

1000 

1101 

ROW/COL 

1000 

1001 

1010 

1011 

1100 

1101 

1110 

nil 

00 

1010 

1001 

0011 

1110 

0101 

0000 

1100 

0111 

01 

1100 

0101 

0110 

1011 

0000 

1110 

1001 

0010 

10 

0000 

0110 

1010 

1101 

nil 

0011 

0101 

1000 

11 

nil 

1100 

1001 

0000 

0011 

0101 

0110 

1011 

Table  6.45:  S-Box  8  in  Binary  Form. 
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Table  6.46  lists  the  ANFs  for  the  BFs  of  S-Box  8. 


Function 

ANF 

Number  of  Terms 

Degree 

/i 

1  ©X2  ©X3  ©X5  ©XlX2  ©X1X4  ©X1X5  ©X4X5  © 

XlXg  ©X2X6  ©X3X6  ©X4X6  ©X2X3X4  ©X1X2X5  © 

X1X3X5  ©X2X3X5  ©X1X4X5  ©X2X4X5  ©X1X2X6  © 

X2X3X6  ©X2X4X6  ©X3X4X6  ©X1X5X6  ©X4X5X6  © 

X1X2X4X5  ©X2X3X4X6  ©X1X2X5X6  ©X1X4X5X6  © 

X2X4X5X6  ©  X1X2X3X4X6  ©  X1X2X4X5X6 

31 

5 

h 

X3  ©  X4  ©  X5  ©  Xg  ©  X1X2  ©  X2X4  ©  X3X4  © 

X1X5  ©  X2X6  ©  X1X2X3  ©  X1X3X4  ©  X1X2X5  © 

X1X3X5  ©  X2X3X5  ©  X1X2X6  ©  X1X3X6  © 

X2X3X6  ©  X1X4X6  ©  X2X4X6  ©  X3X4X6  © 

X1X5X6  ©  X2X5X6  ©  X1X2X3X4  ©  X1X2X3X5  © 

X1X2X4X5  ©X1X2X3X6  ©X1X2X5X6  ©X2X4X5X6  © 

X1X2X3X4X5  ©X1X2X4X5X6 

30 

5 

h 

Xl  ©  X2  ©  X3  ©  X5  ©  X1X2  ©  X2X3  ©  X2X4  © 

X3X4  ©  X3X5  ©  XiXg  ©  X2X6  ©  X3X6  ©  X4X6  © 

X1X3X4  ©  X2X3X4  ©  X1X2X5  ©  X1X3X5  © 

X2X3X5  ©X1X4X5  ©X1X2X6  ©X1X3X6  ©X1X4X6  © 

X2X4X6  ©  X3X4X6  ©  X1X2X4X5  ©  X1X3X4X6  © 

X2X3X4X6  ©X1X2X5X6  ©X2X3X5X6  ©X1X4X5X6  © 

X1X2X3X4X6  ©X1X2X4X5X6 

32 

5 

/4 

X2  ©  X4  ©  Xg  ©  X1X2  ©  X2X3  ©  X2X4  ©  X3X4  © 

X1X5  ©  X2X5  ©  X3X5  ©  X2Xg  ©  X4Xg  ©  XgXg  © 

X1X3X4  ©X2X3X5  ©XlX2Xg  ©XlX4Xg  ©XlXgXg  © 

X3X5Xg  ©  X1X2X3X5  ©  XiX3X5Xg  ©  X2X3X5Xg  © 

X2X4X5Xg  ©X1X2X3X4X5  ©XlX2X3X5Xg 

25 

5 

Table  6.46:  ANF  and  Degree  of  S-Box  8  BFs. 


Figure  6.7  displays  the  Walsh-Hadamard  spectra  of  the  S-Box  8  BFs  obtained  from  R®.  It 
is  again  assumed  that  the  reader  can  compute  the  Walsh  spectra  via  the  relation  in  Equa¬ 
tion  4.16. 
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Figure  6.7:  Walsh-Hadamard  Spectra  of  S-Box  8  BFs. 


Tables  6.47,  6.48,  and  6.49  follow  in  the  same  manner  as  before. 


Function 

Cayley  Graph  Spectra  (A]  <  A2  <  <  A„) 

Distinct  A, 

/[ 

/  -8  -6  -4  -2  0  2  4  6  8  32  \ 

\  2  7  3  5  16  17  5351/ 

10 

fi 

f  -10  -8  -6  -4  -2  0  2  4  6  8  32  \ 

2  4  2  7  10  14  14  5  4  1  1  / 

11 

h 

/  -10  -8  -6  -4  -2  0  2  4  6  8  10  32  \ 
\^1  4  4  3  17  14  79211  1/ 

12 

h 

f  -10  -8  -6  -4  -2  0  2  4  6  8  32  \ 

{  \  3  5  6  13  13  11  6  2  3  1  / 

11 

Table  6.47:  Cayley  Graph  Spectra  of  S-Box  8  BFs. 


Function 

Laplacian  Spectra  (jJ-i  <  IJ.2  <  ■  ■  ■  <  l^n) 

fi 

/  0  24  26  28  30  32  34  36  38  40  \ 

\l  5  3  5  17  16  5  3  7  2/ 

fi 

/  0  24  26  28  30  32  34  36  38  40  42  \ 

1  1  4  5  14  14  10  7  2  4  2  / 

h 

/  0  22  24  26  28  30  32  34  36  38  40  42  \ 

1^11  1  297  14  17  344  1/ 

U 

/  0  24  26  28  30  32  34  36  38  40  42  \ 

y  1  3  2  6  11  13  13  6  5  3  1  / 

Table  6.48:  Laplacian  Spectra  of  Cayley  Graphs  Associated  with  S-Box  8  BFs. 
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Crypto  Property 

/i 

/2 

/3 

/4 

Degree 

5 

5 

5 

5 

Balanced 

Yes 

Yes 

Yes 

Yes 

Weight 

32 

32 

32 

32 

Nonlinearity 

24 

22 

22 

22 

Algebraic  Immunity 

3 

3 

3 

3 

Correlation  Immunity  Order 

0 

0 

0 

0 

Resiliency  Order 

0 

0 

0 

0 

Table  6.49:  Cryptographic  Properties  of  S-Box  8  BFs. 


Spectral  Observations 

Table  6.50  depicts  the  relevant  properties  of  the  Cayley  graphs  associated  with  the  S-Box  8 
BFs. 


Graph  Parameter 

T/: 

T/, 

r/3 

r/4 

Regularity;  deg 

Yes;  32 

Yes;  32 

Yes;  32 

Yes;  32 

Connected;  ^(F /) 

Yes;  1 

Yes;  1 

Yes;  1 

Yes;  1 

Bipartite 

No 

No 

No 

No 

RankfAy;) 

48 

50 

50 

51 

Diameter 

2 

2 

2 

2 

Spanning  Trees;  T(r j) 

2.2801  X  10^2 

1.0980  X  10*^° 

1.7276  X  10*^3 

1.7299  X  10*^3 

Clique  Number 

8 

8 

8 

8 

Independence  Number 

8 

8 

8 

8 

Chromatic  Number 

8 

8 

8 

8 

Table  6.50:  Properties  of  Cayley  Graphs  Associated  with  S-Box  8  BFs. 


6.3  Relations 

The  following  observed  relations  are  specific  to  the  DBS  S-Box  BFs  and  their  associated 
Cayley  graphs.  These  should  not  be  universalized  to  all  BFs  used  in  similar  substitution 
steps  within  a  cryptosystem. 

1.  The  constant  term  1  appears  in  the  ANF  of  a  BF  if  and  only  if  the  associated  Cayley 
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graph  has  a  loop  at  every  vertex. 

2.  The  funetions  within  an  S-Box  with  the  smallest  number  of  terms  in  their  ANF  also 
have  the  smallest  number  of  degree  5  terms. 

3.  Within  the  same  S-Box,  if  multiple  Cayley  graphs  have  the  same  set  of  eigenvalues, 
then  their  eorresponding  BFs  have  the  same  nonlinearity.  Furthermore,  this  nonlin¬ 
earity  is  22. 

4.  The  funetion(s)  with  the  highest  nonlinearity  also  have  the  smallest  number  of  dis¬ 
tinct  eigenvalues  when  compared  to  other  functions  within  the  same  S-Box;  similarly, 
the  function(s)  with  the  lowest  nonlinearity  also  have  the  largest  number  of  distinct 
eigenvalues. 

5.  Of  the  32  total  functions,  seven  achieve  the  maximum  nonlinearity  of  24.  These 
seven  functions  as  graphs  do  not  contain  ±10  as  eigenvalues. 

6.  Six  of  the  32  total  functions  achieve  a  nonlinearity  of  22.  These  functions  as  graphs 
do  not  have  ±12  as  eigenvalues.  Furthermore,  these  functions  have  at  most  31  terms 
in  their  ANF.  The  functions  with  nonlinearity  22  also  have  the  largest  number  of 
distinct  eigenvalues  when  compared  to  other  functions  within  the  same  S-Box. 

7.  A  function  achieves  the  minimum  nonlinearity  of  20  if  and  only  if  A/  G  {±12}. 

8.  The  Cayley  graph  with  the  largest  multiplicity  of  0  as  an  eigenvalue  in  each  S-Box 
also  has  an  adjacency  matrix  A  with  the  smallest  rank.  Furthermore,  if  two  or  more 
Cayley  graphs  within  the  same  S-Box  have  the  same  multiplicity  of  0  as  an  eigen¬ 
value,  then  their  corresponding  adjacency  matrices  have  the  same  rank. 

9.  There  is  no  observed  pattern  in  the  number  of  spanning  trees  in  the  Cayley  graphs. 
This  is  somewhat  interesting  since  all  of  the  graphs  are  32-regular,  and  have  the  same 
diameter,  chromatic  number,  independence  number,  and  clique  number. 

10.  S-Box  2  is  the  only  box  to  use  a  BF  with  algebraic  degree  four.  Surprisingly,  this 
function  achieves  the  maximum  nonlinearity  of  24  and  its  Cayley  graph  has  the 
smallest  number  of  distinct  eigenvalues  across  all  S-Boxes. 

11.  Beginning  with  S-Box  3,  at  least  two  functions  within  each  box  have  the  same  set  of 
eigenvalues. 

12.  S-Box  4  is  rather  interesting  with  regards  to  the  Cayley  spectrum.  Heilman  and  Davio 
noted  the  redundancy  in  this  S-Box,  sparking  many  to  believe  that  this  box  was  the 
trap  door  left  behind  by  the  designers.  All  four  BFs  in  the  fourth  S-Box  have  the 
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same  nonlinearity,  the  same  set  of  Cayley  eigenvalues,  and  their  adjacency  matrices 
all  have  the  same  rank.  Granted,  the  ANFs  are  different,  but  the  second  and  third 
functions  have  Cayley  graphs  with  the  exact  same  spectra. 

13.  The  set  of  possible  nonlinearity  values  {20,22,24}  is  the  same  as  the  set  of  spectral 
gap^^values.  Furthermore,  for  S-Boxes  4-7,  these  two  values  are  equal. 

6.4  Expanders 

Recall  in  Subsection  5.3.2  we  introduced  the  Cheeger  constant  with  respect  to  cuts  in  a 
graph.  Another  application  of  connectivity  deals  with  the  expander  graph.  The  expander 
graph  is  a  regular  graph  (typically  of  small  degree)  such  that  the  number  of  neighbors  of 
any  subset  of  the  vertex  set  containing  at  most  half  of  the  total  nodes  is  at  least  a  constant 
factor  of  its  size  [85].  More  formally,  an  e-expander  is  a  regular  graph  G={V,E)  such  that 
for  every  set  5  C  V  with  |5|  <  the  number  of  nodes  in  V\S  adjacent  to  some  jc  G  5  is 
at  least  e|5|.  If  the  spectral  gap  for  a  r-regular  graph  is  at  least  2er,  then  the  graph  is  an 
e-expander  [85].  Also  [104],  an  r-regular  graph  is  an  e-expander  if  the  Cheeger  constant, 
ho  is  at  least  e,  i.e.,  Hq  >  e.  Hence,  the  term  expansion  is  closely  related  with  cuts  (vertex, 
edge,  spectral,  etc.).  Since  expander  graphs  exhibit  strong  connectivity  properties,  they  are 
often  sought  out  in  many  computer  based  algorithms. 

Expanders  have  wide  applications,  especially  in  computer  science  and  the  design  of  com¬ 
munication  networks.  Expander  graphs  were  first  defined  in  the  1970s  [105]  by  Eeonid 
Bassalygo  and  Michael  Pinsker.  It  is  generally  difficult  to  construct  an  expander  graph 
from  scratch,  since  they  are  simultaneously  sparse  and  highly  connected.  Thus,  much  of 
the  work  dealing  with  these  graphs  is  theoretical  in  nature.  However,  random  graphs  often 
make  good  expanders,  and  we  have  multiple  construction  methods  to  do  this.  Expander 
graphs  also  have  application  in  error  correcting  codes  as  well  as  pseudorandom  numbers. 

Construction  of  r-regular  expanders  implies  control  of  the  spectral  gap,  denoted  from  now 
on  as  A  =  r  —  A„  i.  Cheeger  and  Peter  Buser  bounded  the  Cheeger  constant  in  terms  of  the 
spectral  gap  as 

^  <  fie  <  s/lrX. 

^^The  spectral  gap  is  defined  to  be  the  difference  between  the  largest  and  second  largest  eigenvalue,  i.e., 
Xn  —  Xn-i-  See  Section  6.4. 
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The  question  remains  how  large  the  spectral  gap  can  be.  This  question  obviously  relies 
on  the  value  for  and  by  the  bounds  on  the  Cheeger  constant  we  see  that  a  large 
spectral  gap  implies  high  expansion.  Alon  and  Ravi  Boppana  showed  that  this  gap  could 
be  expressed  by  bounding  the  second  largest  eigenvalue.  In  particular, 

K-l  >  2Vr-  1  -o„(l), 

where  the  term  o„(l)  tends  to  zero  as  n  becomes  large  [105].  This  term  is  simplified  from  a 
fractional  ratio  of  a  constant  and  the  diameter  of  a  graph.  The  interesting  case  occurs  when 
this  inequality  is  not  satisfied. 

Alexander  Lubotzky  et  al.  [89]  coined  the  term  Ramanujan  graph  for  an  r-regular  graph  in 
which  the  largest  eigenvalue  other  than  =  r  is  less  than  or  equal  to  the  Alon-Boppana 
bound.  Ramanujan  graphs  are  named  after  Indian  mathematician  Srinivasa  Ramanujan, 
and  because  they  achieve  close  to  the  largest  spectral  gap  possible,  Ramanujan  graphs 
give  good  explicit  constructions  for  expanders;  they  are  often  considered  to  be  the  most 
well-connected  among  regular  graphs.  Precisely,  let  G  be  an  r-regular  graph  and  let  A(G) 

be  max  |A,j.  Then  G  is  Ramanujan  if  A(G)  <  2y/r—  1.  Interestingly,  Lubotzky  et  al. 

m<r 

constructed  their  Ramanujan  graphs  from  Cayley  graphs;  the  Petersen  graph  is  an  example 
of  a  Ramanujan  graph.  As  a  consequence,  most  constructions  of  Ramanujan  graphs  are 
algebraic  in  nature.  Ramanujan  graphs  have  an  interesting  niche  in  coding  theory;  certain 
codes  such  as  Robert  Gallager’s  Low  Density  Parity  Check  Codes  can  be  constructed  using 
Ramanujan  graphs  [106].  Since  these  graphs  are  good  examples  of  connectivity,  family 
of  Ramanujan  graphs  can  yield  d.  family  of  expanders. 

While  the  literature  varies  about  loop  inclusion.  Table  6.51  includes  the  DBS  Boolean  Cay¬ 
ley  graphs  that  satisfy  the  Ramanujan  property,  namely  X  <  2^32221  ^  11.13552873. 
If  loops  are  included,  then  26  out  of  the  32  Cayley  graphs  are  Ramanujan.  A  star  (*) 
indicates  that  the  corresponding  Cayley  graph  has  loops.  Given  the  large  number  of  Ra¬ 
manujan  graphs  in  Table  6.51  out  of  the  32  possible,  perhaps  this  yields  important  design 
considerations  about  S-Box  construction  using  BFs.  Interestingly,  the  six  graphs  that  are 
not  Ramanujan  are  also  the  only  ones  in  which  the  associated  BFs  achieve  the  smallest 
nonlinearity  of  20. 
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S-Box 

Ramanujan 

n 

^2 

f2,f3,n 

53 

/r,/3 

54 

Jl’  72  ’  /3  ’  /4 

^5 

Jl->  72  ’  /3’  74 

r 

71  ’  72’ 73 ’ 74 

^7 

/i,  /|.  h,  h 

^8 

/r,  /2,  /3,  /4 

Table  6.51:  The  DBS  Funetions  with  Ramanujan  Cayley  Graphs. 


6.5  Distance  to  Linear  Functions 

An  interesting  applieation  of  nonlinearity  involves  finding  the  nearest  linear  or  affine  fune- 
tion  to  a  BF.  Reeall  the  WHT  given  by 

F(m)  =  IT (/)(«)  =  £  (-i)/W®<“-*>. 

This  equation  is  also  equal  to  the  number  of  Os  minus  the  number  of  Is  in  the  function 
f®iu,  where  is  the  linear  function  ^^(v).  Thus,  IT (/)(«)  =  2"  —  2wt(/©f„)  =  2"  — 
2d{f,  iu)-  It  follows  that  for  a  function  /  and  a  fixed  linear  function  f„(v),  we  have 

d{f,£u)  =  l{2"-W{f){u)).  (6.1) 

Bquation  6. 1  implies  that  the  nearest  affine  function  iu,cn)  (v)  =  ao  ©  (m,  v)  ,  ao  G  F2,  to  /  (in 
terms  of  Hamming  distance)  is  the  function  where  |lT(/)(ii)|  is  the  largest  [39].  We  give 
an  example  of  how  to  find  the  nearest  affine  function  to  the  first  S-Box  BF,  and  then  the 
remaining  functions  are  merely  listed. 

First  recall  that  the  nonlinearity  of  /i  in  S-Box  1  is  20,  i.e.,  =  20.  The  largest 

Walsh-Hadamard  (absolute)  value  of  this  function  is  24,  which  occurs  for  the  input  vec- 
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tor  0543  =  101011.  To  find  the  nearest  affine  function,  we  compute 


4,floW  =«0©(m,v) 

443,i(v)  =  1  ©(101011,  v) 

=  l©(101011)-(.r6,-^5,-^4,-^3,-^2,-^l) 

=  1  ®Xi  ©.r2©-^4©-^6- 

As  a  check,  we  can  see  that  i)  =  ^(2^  —  24)  =  20,  which  matches  the  nonlinearity 

of  fi .  Thus,  we  need  to  change  20  bits  in  /i  in  order  to  arrive  at  the  affine  function  1  ©  jci  © 
X2(Bx4(Bx(,.  It  should  also  be  noted  that  some  of  the  DBS  functions  have  multiple  vectors 
which  yield  the  largest  WHT  value,  e.g.,  /4  in  S-Box  1  has  eight  vectors  that  produce  ±16. 
For  these  such  functions,  we  only  list  one  possible  affine  function.  Table  6.52  lists  the 
nearest  affine  functions  to  the  DBS  S-Box  functions. 
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S-Box 

Function 

a 

Nearest  Affine  Function 

1 

h 

20 

54 

X2©X3  ©X5  ©Xg 

1 

h 

20 

41 

Xl  ©X4©X6 

1 

h 

24 

53 

1  ©Xl  ©X3  ©X5  ©Xg 

2 

/i 

20 

47 

1  ©Xl  ©X2  ©X3  ©X4  ©Xg 

2 

h 

24 

15 

Xl  ©X2©X3  ©X4 

2 

h 

22 

21 

Xl  ©X3  ©Xg 

2 

h 

24 

61 

1  ©Xl  ©X3  ©X4  ©Xg  ©Xg 

3 

/i 

22 

49 

1  ©Xl  ©Xg  ©Xg 

3 

h 

20 

54 

1  ©X2©X3  ©Xg  ©Xg 

3 

h 

22 

29 

l©Xl©X3©X4©Xg 

3 

h 

20 

28 

X3  ©X4©Xg 

4 

fi 

22 

14 

X2©X3  ©X4 

4 

h 

22 

30 

l©X2©X3©X4©Xg 

4 

h 

22 

14 

1©X2©X3©X4 

4 

A 

22 

13 

Xl  ©X3  ©X4 

5 

/i 

22 

20 

X3  ©Xg 

5 

h 

24 

46 

l©X2©X3©X4©Xg 

5 

h 

24 

42 

X2©X4©Xg 

5 

A 

22 

52 

1  ©X3  ©Xg  ©Xg 

6 

A 

22 

31 

1  ©Xl  ©X2  ©X3  ©X4  ©Xg 

6 

A 

22 

29 

l©Xl©X3©X4©Xg 

6 

A 

22 

55 

1  ©Xl  ©X2  ©X3  ©Xg  ©Xg 

6 

A 

22 

41 

Xl  ©X4©Xg 

7 

A 

22 

46 

X2©X3  ©X4©Xg 

7 

A 

22 

20 

1  ©X3  ©Xg 

7 

A 

24 

40 

X4©Xg 

7 

A 

22 

62 

X2©X3©X4©Xg©Xg 

8 

A 

24 

43 

l©Xl©X2©X4©Xg 

8 

A 

22 

12 

X3  ©X4 

8 

A 

22 

56 

X4©Xg  ©Xg 

8 

A 

22 

50 

X2©Xg©Xg 

Table  6.52:  The  Nearest  Affine  Functions  to  the  DBS  S-Box  BFs. 
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CHAPTER  7: 

Extensions  on  DES  Substitution  Boxes 


Recall  that  Adams  and  Tavares  [50]  explained  that  good  BFs  used  in  S-Boxes  need  to 
satisfy  the  SAC.  Granted,  the  SAC  did  not  exist  at  the  time  that  DES  was  introduced,  and 
Webster  and  Tavares  [58]  even  demonstrated  that  the  DES  S-Boxes  do  not  satisfy  the  SAC. 
In  this  chapter,  we  analyze  one  of  the  design  criteria  of  the  DES  S-Boxes  and  apply  it  to 
the  coordinate  vectorial  BEs. 


7.1  Methods 

The  specific  design  criteria  we  examine  is  listed  by  Coppersmith  [21]  as  property  (S-5), 
i.e.,  by  complementing  the  middle  two  input  bits,  we  should  see  the  output  bits  differing 
in  at  least  two  positions.  Mathematically,  the  DES  S-Boxes  are  required  to  adhere  to  the 
following:  f{x)  and  /(jc©  001 100)  differ  in  at  least  two  bits.  This  criterion  was  based  on 
the  S-Box  as  a  function,  i.e.,  /  :  — )■  F^.  We  cannot  specifically  examine  this  property  on 
the  coordinate  BFs  because  our  outputs  are  single  bits  rather  than  strings  of  four  bits.  Thus, 
we  perform  a  PC(2)  check  on  the  coordinate  functions  using  Coppersmith’s  vector  001 100. 
We  aim  to  answer  the  following  questions  in  this  chapter: 

1 .  Do  the  DES  S-Box  coordinate  functions  satisfy  the  PC  of  degree  2? 

2.  Do  the  DES  S-Box  coordinate  functions  satisfy  the  PC  of  degree  1,  i.e.,  SAC? 

Recall  that  for  a  function  to  satisfy  the  PC  of  degree  k  =  2,  we  need  to  check  all  possible 
two-bit  changes  in  the  inputs  and  verify  that  the  output  changes  in  exactly  one  half  of  the 
total  outputs.  Also  recall  that  this  can  be  done  by  either  counting  the  number  of  positions 
where  f{x)  and  /(jc  ©  a)  differ,  or  by  verifying  that  the  weight  of  /(jc)  ©  /(jc  ©  a)  =  2""/ 
If  wt{  f{x)  ©  /(jc  ©  OOI  IOO)  )  /  32  for  any  function  /■  in  the  DES  S-Boxes,  I  <  /  <  32,  then 
we  can  conclude  that  /•  does  not  satisfy  PC(2). 

We  already  know  that  the  DES  S-Boxes  do  not  satisfy  the  SAC,  but  this  does  not  imply  that 
the  row  functions  do  not  satisfy  this  property.  We  aim  to  shed  light  on  this  concept  in  this 
chapter. 
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7.2  Results  on  Propagation  Criteria  of  Degree  2 

Tables  7.1,  7.2,  7.3,  and  7.4  display  the  results  of  the  PC(2)  eheek  for  the  veetor  001100. 
If  a  row  is  highlighted  in  green,  then  it  satisfies  the  cheek  for  this  vector;  all  others  are 
eliminated  from  the  check. 


S-Box  1 

fi 

wt{f{x)®  fix  ®oonoo)) 

h 

36 

fi 

32 

h 

36 

fA 

32 

S-Box  2 

fi 

wtif{x)  © /(jc© 001 100)) 

h 

24 

fi 

24 

fs 

32 

fA 

32 

Table  7.1:  Results  of  PC(2)  Check  on  S-Boxes  1  and  2. 


S-Box  3 

f 

wt(/(jc)©/(x©001100)) 

fi 

28 

fi 

32 

h 

24 

fA 

32 

S-Box  4 

fi 

vvt(/(jc)©/(x©001100)) 

fi 

28 

fi 

28 

h 

28 

fA 

28 

Table  7.2:  Results  of  PC(2)  Check  on  S-Boxes  3  and  4. 


S-Box  5 

fi 

wt(/(jc)©/(jc©001100)) 

fi 

28 

fi 

36 

h 

32 

fA 

36 

S-Box  6 

fi 

wt(/(jc)© /(jc©  001 100)) 

fi 

28 

fi 

24 

h 

28 

fA 

32 

Table  7.3:  Results  of  PC(2)  Check  on  S-Boxes  5  and  6. 
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S-Box  7 

f, 

wt{f{x)  © /(jc©  001 100)) 

fi 

24 

fi 

32 

h 

28 

/4 

32 

S-Box  8 

fi 

wt{f{x)  © /(jc©  001 100)) 

A 

28 

fi 

32 

h 

40 

/4 

36 

Table  7.4:  Results  of  PC(2)  Cheek  on  S-Boxes  7  and  8. 


For  these  1 1  funetions  that  are  still  eligible  to  satisfy  PC(2),  eight  are  further  eliminated 
with  a  eheek  on  the  veetor  a  =  \  10000.  The  final  three  are  also  eliminated  with  eheeks 
on  veetors  b  =  101000  and  c  =  100100.  Therefore,  we  reaeh  the  following  eonelusion 
eoneeming  PC. 

Result  1:  The  32  eoordinate  BFs  eomprising  the  DBS  S-Boxes  do  not  satisfy  PC(2). 


7.3  Results  on  Strict  Avalanche  Criteria 

In  this  seetion,  we  display  the  results  of  the  SAC  eheek  on  the  DES  S-Box  eoordinate 
funetions.  Table  7.5  depiets  the  eheek  of  SAC  using  the  veetor  a  =  100000. 
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S-Boxes  5-8 

fi 

wt{f{x)®f{x®l00000)) 

36 

Ss 

48 

44 

48 

44 

Se 

40 

40 

48 

44 

Si 

36 

48 

48 

44 

Ss 

40 

44 

40 

S-Boxes  1-4 

fr 

wt{f{x)  ©  f{x(B  100000)) 

48 

Si 

44 

48 

40 

36 

Si 

44 

44 

40 

44 

S3 

52 

40 

36 

48 

Sa 

36 

48 

36 

Table  7.5:  Results  of  SAC  Cheek  on  DBS  S-Boxes. 


Note  that  there  are  no  funetions  in  Table  7.5  with  a  eorresponding  weight  of  32  in  the 
seeond  eolumn.  Sinee  none  of  these  funetions  have  this  property,  there  is  no  need  to  eheek 
any  other  veetor  of  weight  one  in  Fj.  Therefore,  we  reaeh  the  following  eonelusion: 

Result  2:  The  32  eoordinate  BFs  eomprising  the  DBS  S-Boxes  do  not  satisfy  PC(1),  i.e., 
SAC.  Burthermore,  we  are  justified  in  stating  the  implieation  from  Webster  and 
Tavares  (only  for  DBS).  If  the  S-Box  funetion  /  :  F^  does  not  satisfy  the 

SAC,  then  its  eoordinate  BBs  do  not  satisfy  the  SAC  either. 
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CHAPTER  8: 
Conclusion 


In  this  chapter,  we  summarize  the  findings  of  this  thesis  and  present  some  aspects  requiring 
further  research. 


8.1  Summary  of  Results 

The  goal  of  this  thesis  was  to  analyze  DBS  in  a  new  light.  We  used  techniques  from 
spectral  graph  theory  to  make  statements  about  the  Cayley  graphs  associated  with  the  DBS 
BBs.  Several  loose  connections  were  also  made  between  the  cryptographic  properties  of 
these  BBs  and  the  Cayley  graph  spectra. 

The  Cayley  graphs  of  these  BBs  all  seem  to  share  many  of  the  same  graph  properties,  par¬ 
ticularly  in  diameter,  clique  number,  independence  number,  and  chromatic  number.  Since 
all  32  graphs  are  32-regular,  however,  this  is  not  so  hard  to  believe.  Many  of  the  crypto¬ 
graphic  properties  of  the  BBs  are  also  the  same,  such  as  degree,  balance,  weight,  algebraic 
immunity,  correlation  immunity,  and  resiliency.  The  nonlinearity  of  the  BBs  is  the  primary 
property  of  variance,  and  it  seems  to  be  related  to  the  multiplicity  of  the  graph  eigenvalues 
(in  the  case  of  DBS  at  least). 

We  also  found  a  new  characterization  of  the  DBS  Cayley  graphs  as  Ramanujan  graphs. 
These  are  graphs  with  special  properties  in  regards  to  expansion;  expansion  relies  on  the 
size  of  the  spectral  gap.  Also,  we  confirmed  that  the  DBS  BBs  do  not  satisfy  the  SAC  nor 
the  PC(2). 

8.2  Areas  for  Future  Work 

There  are  other  areas  that  could  be  extended  from  the  work  of  this  thesis.  These  areas  are 
summarized  in  the  following  list. 

1.  DBS  Related 

•  What  can  we  learn  from  other  matrices  associated  with  the  DBS  BBs,  e.g.,  nor¬ 
malized  Baplacian,  signless  Baplacian,  incidence,  etc.? 
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•  What  can  be  investigated  with  the  energy  spectrum  of  the  BFs,  i.e.,  the  square  of 
the  WT?  Is  there  a  relation  between  the  energy  spectrum  and  the  cryptographic 
properties? 

•  Can  the  inverse  eigenvalue  problem  be  applied  here,  i.e.,  can  we  deduce  infor¬ 
mation  about  the  graph  spectra  from  a  family  of  matrices  producing  this  graph? 

•  Can  we  find  patterns  in  the  number  of  random  walks  in  the  Cayley  graphs? 

•  What  is  the  energy  of  the  Cayley  graphs,  i.e.,  the  sum  of  the  adjacency  matrix 
eigenvalues  in  absolute  value,  and  can  we  determine  a  relation  with  the  proper¬ 
ties  of  the  BFs?  Can  we  determine  a  formula  for  the  energy  of  the  Cayley  graph 
for  a  BF  on  n  variables? 

2.  Non-DES  Related 

•  Apply  spectral  graph  theoretic  techniques  to  other  block  ciphers  such  as  AES, 
or  even  the  combiner  functions  used  in  stream  ciphers. 

•  Investigate  relations  between  Ramanujan  graphs  and  BEs  used  in  cryptosys¬ 
tems. 

•  What  more  can  be  done  with  the  Eaplacian  spectra?  If  we  bound  the  Eaplacian 
eigenvalues  by  known  relations,  how  are  the  associated  BEs  affected? 

•  Can  we  determine  a  general  formulaic  relationship  between  the  cryptographic 
properties  of  any  BE  and  the  spectrum  of  its  associated  Cayley  graph? 

•  Is  there  a  relationship  between  the  spectral  gap  of  a  Cayley  graph  and  the  non¬ 
linearity  of  its  associated  BE? 
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APPENDIX:  Thesis  Code 


This  appendix  displays  some  of  the  code  used  from  Maple  to  help  compute  some  of  the 
properties  examined  in  this  thesis.  Potential  users  of  this  code  should  validate  its  execution 
before  implementation. 


A.l  Adjacency  Matrix  Coding 


>  restart ; 

Build  list  of  2~6  input  vectors  as  list  of  sequences 

>  a  :=  [seq(ListTools [Reverse] (  convert (i+64, base, 2) [1 .. -2] ) ,  i=0..63)]; 
Confirm  list  has  2~6  elements 

>  nops(a) ; 

Test  extraction  from  list 

>  a [12]  ; 

>  a [32]  ; 

Test  mod  2  addition  on  elements  of  a 

>  I  +  II  mod  2; 

Assign  truth  table  outputs  to  new  sequence  list;  change  as  needed 

>  b  :=  [1,1, 1,1, 1,1, 0,0, 1,0, 0,0, 0,0, 1,0, 0,1, 0,0, 1,0, 0,1, 0,0, 0,1, 0,1, 1,1, 
0,1,0,1,1,0,1,1,0,0,1,1,1,1,1,0,1,0,1,0,0,0,0,0,0,1,1,0,1,1,0,1] ; 

Confirm  list  has  2~6  elements 

>  nops (b) ; 

Test  to  extract  i-th  item  from  list 

>  a[64]  ;a[4]  ;b[2]  ;b[4]  ; 

Create  function/mapping  from  set  a  to  set  b 

>  for  i  from  1  to  64  do  f(a[i])  :=  b[i] ;  od; 

Test  the  function 

>  f(a[2]);f(a[4]); 

Test  bit  operations 

>  a  [12]  +  a  [32]  mod  2; 

All  possible  XOR  elements  in  set  a 

>  for  i  from  1  to  63  do  a[l]  +  a[l+i]  mod  2; 
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fC’/o);  od;  printf ( "break  here"); 

for  i  from  1  to  62  do  a [2]  +  a[2+i]  mod  2; 

fCy,);  od;  printf ( "break  here"); 

for  i  from  1  to  61  do  a [3]  +  a[3+i]  mod  2; 

fC’/o);  od;  printf ( "break  here"); 

for  i  from  1  to  60  do  a [4]  +  a[4+i]  mod  2; 

fC’/o);  od;  printf ( "break  here"); 

for  i  from  1  to  59  do  a [5]  +  a[5+i]  mod  2; 

fCy,);  od;  printf ( "break  here"); 

for  i  from  1  to  58  do  a [6]  +  a[6+i]  mod  2; 

fCy,);  od;  printf ( "break  here"); 

for  i  from  1  to  57  do  a [7]  +  a[7+i]  mod  2; 

fC’/o);  od;  printf  ("break  here"); 

for  i  from  1  to  56  do  a  [8]  +  a[8+i]  mod  2; 

fC’/o);  od;  printf  ("break  here"); 

for  i  from  1  to  55  do  a [9]  +  a[9+i]  mod  2; 

f(yo);  od;  printf  ("break  here"); 

for  i  from  1  to  54  do  a  [10]  +  a[10+i]  mod  2; 

f(yo);  od;  printf  ("break  here"); 

for  i  from  1  to  53  do  a [11]  +  a[ll+i]  mod  2; 

f(yo);  od;  printf  ("break  here"); 

for  i  from  1  to  52  do  a  [12]  +  a[12+i]  mod  2; 

f(yo);  od;  printf  ("break  here"); 

for  i  from  1  to  51  do  a  [13]  +  a[13+i]  mod  2; 

f(yo);  od;  printf  ("break  here"); 

for  i  from  1  to  50  do  a  [14]  +  a[14+i]  mod  2; 

f(yo);  od;  printf  ("break  here"); 

for  i  from  1  to  49  do  a  [15]  +  a[15+i]  mod  2; 

f(yo);  od;  printf ( "break  here"); 

for  i  from  1  to  48  do  a  [16]  +  a[16+i]  mod  2; 

f(yo);  od;  printf ( "break  here"); 

for  i  from  1  to  47  do  a  [17]  +  a[17+i]  mod  2; 

f(yo);  od;  printf ( "break  here"); 

for  i  from  1  to  46  do  a  [18]  +  a[18+i]  mod  2; 
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fC’/o);  od;  printf ( "break  here"); 

for  i  from  1  to  45  do  a  [19]  +  a[19+i]  mod  2; 

fCy,);  od;  printf ( "break  here"); 

for  i  from  1  to  44  do  a  [20]  +  a[20+i]  mod  2; 

fC’/o);  od;  printf ( "break  here"); 

for  i  from  1  to  43  do  a  [21]  +  a[21+i]  mod  2; 

fC’/o);  od;  printf ( "break  here"); 

for  i  from  1  to  42  do  a  [22]  +  a[22+i]  mod  2; 

fCy,);  od;  printf ( "break  here"); 

for  i  from  1  to  41  do  a  [23]  +  a[23+i]  mod  2; 

fCy,);  od;  printf ( "break  here"); 

for  i  from  1  to  40  do  a  [24]  +  a[24+i]  mod  2; 

fC’/o);  od;  printf  ("break  here"); 

for  i  from  1  to  39  do  a  [25]  +  a[25+i]  mod  2; 

fC’/o);  od;  printf  ("break  here"); 

for  i  from  1  to  38  do  a  [26]  +  a[26+i]  mod  2; 

f(yo);  od;  printf  ("break  here"); 

for  i  from  1  to  37  do  a  [27]  +  a[27+i]  mod  2; 

f(yo);  od;  printf ( "break  here"); 

for  i  from  1  to  36  do  a  [28]  +  a[28+i]  mod  2; 

f(yo);  od;  printf  ("break  here"); 

for  i  from  1  to  35  do  a  [29]  +  a[29+i]  mod  2; 

f(yo);  od;  printf  ("break  here"); 

for  i  from  1  to  34  do  a  [30]  +  a[30+i]  mod  2; 

f(yo);  od;  printf  ("break  here"); 

for  i  from  1  to  33  do  a  [31]  +  a[31+i]  mod  2; 

f(yo);  od;  printf  ("break  here"); 

for  i  from  1  to  32  do  a  [32]  +  a[32+i]  mod  2; 

f(yo);  od;  printf ( "break  here"); 

for  i  from  1  to  31  do  a  [33]  +  a[33+i]  mod  2; 

f(yo);  od;  printf ( "break  here"); 

for  i  from  1  to  30  do  a  [34]  +  a[34+i]  mod  2; 

f(yo);  od;  printf ( "break  here"); 

for  i  from  1  to  29  do  a  [35]  +  a[35+i]  mod  2; 
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fC’/o);  od;  printf ( "break  here"); 

for  i  from  1  to  28  do  a  [36]  +  a[36+i]  mod  2; 

fCy,);  od;  printf ( "break  here"); 

for  i  from  1  to  27  do  a  [37]  +  a[37+i]  mod  2; 

fC’/o);  od;  printf ( "break  here"); 

for  i  from  1  to  26  do  a  [38]  +  a[38+i]  mod  2; 

fC’/o);  od;  printf ( "break  here"); 

for  i  from  1  to  25  do  a  [39]  +  a[39+i]  mod  2; 

fCy,);  od;  printf ( "break  here"); 

for  i  from  1  to  24  do  a  [40]  +  a[40+i]  mod  2; 

fCy,);  od;  printf ( "break  here"); 

for  i  from  1  to  23  do  a  [41]  +  a[41+i]  mod  2; 

fC’/o);  od;  printf  ("break  here"); 

for  i  from  1  to  22  do  a  [42]  +  a[42+i]  mod  2; 

fC’/o);  od;  printf  ("break  here"); 

for  i  from  1  to  21  do  a  [43]  +  a[43+i]  mod  2; 

f(yo);  od;  printf  ("break  here"); 

for  i  from  1  to  20  do  a  [44]  +  a[44+i]  mod  2; 

f(yo);  od;  printf  ("break  here"); 

for  i  from  1  to  19  do  a  [45]  +  a[45+i]  mod  2; 

f(yo);  od;  printf  ("break  here"); 

for  i  from  1  to  18  do  a  [46]  +  a[46+i]  mod  2; 

f(yo);  od;  printf  ("break  here"); 

for  i  from  1  to  17  do  a  [47]  +  a[47+i]  mod  2; 

f(yo);  od;  printf  ("break  here"); 

for  i  from  1  to  16  do  a  [48]  +  a[48+i]  mod  2; 

f(yo);  od;  printf  ("break  here"); 

for  i  from  1  to  15  do  a  [49]  +  a[49+i]  mod  2; 

f(yo);  od;  printf ( "break  here"); 

for  i  from  1  to  14  do  a  [50]  +  a[50+i]  mod  2; 

f(yo);  od;  printf ( "break  here"); 

for  i  from  1  to  13  do  a  [51]  +  a[51+i]  mod  2; 

f(yo);  od;  printf ( "break  here"); 

for  i  from  1  to  12  do  a  [52]  +  a[52+i]  mod  2; 
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fC’/o);  od;  printf ( "break  here"); 

for  i  from  1  to  11  do  a  [53]  +  a[53+i]  mod  2; 

fCy,);  od;  printf ( "break  here"); 

for  i  from  1  to  10  do  a  [54]  +  a[54+i]  mod  2; 

fC’/o);  od;  printf ( "break  here"); 

for  i  from  1  to  9  do  a  [55]  +  a[55+i]  mod  2; 

fC’/o);  od;  printf ( "break  here"); 

for  i  from  1  to  8  do  a  [56]  +  a[56+i]  mod  2; 

fCy,);  od;  printf ( "break  here"); 

for  i  from  1  to  7  do  a  [57]  +  a[57+i]  mod  2; 

fCy,);  od;  printf ( "break  here"); 

for  i  from  1  to  6  do  a  [58]  +  a[58+i]  mod  2; 

fC’/o);  od;  printf  ("break  here"); 

for  i  from  1  to  5  do  a  [59]  +  a[59+i]  mod  2; 

fC’/o);  od;  printf  ("break  here"); 

for  i  from  1  to  4  do  a  [60]  +  a[60+i]  mod  2; 

f(yo);  od;  printf  ("break  here"); 

for  i  from  1  to  3  do  a  [61]  +  a[61+i]  mod  2; 

f(yo);  od;  printf  ("break  here"); 

for  i  from  1  to  2  do  a  [62]  +  a[62+i]  mod  2; 

f(yo);  od;  printf  ("break  here"); 

for  i  from  1  to  1  do  a  [63]  +  a[63+i]  mod  2; 

f(yo);  od;  printf  ("break  here"); 


A.2  PC  Check  Coding 

>  restart; 

>  a  ;=  [seq(ListTools [Reverse] (  convert (i+64, base, 2) [1 .. -2] ) ,  i=0..63)]; 


Change  as  needed 

>  b  :=  [0,0, 1,0, 0,0, 0,1, 1,1, 1,0, 0,1, 1,1, 0,1, 0,0, 1,0, 1,0, 1,0, 0,0, 1,1,0, 
1,1,1,1,1,1,1,0,0,1,0,0,1,0,0,0,0,0,0,1,1,0,1,0,1,0,1,1,0,1,0,1,11; 


Confirm  2~6  entries  in  each  list 

>  nops (a) ;nops (b) ; 

Add  vector  001100  to  every  element  in  a  mod  2; 
evaluate  resulting  sum  in  function  list 

>  for  i  from  1  to  64  do  a[i]  +  [0,0,1,1,0,01  mod  2;  f(7o);  od; 
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Compare  original  function  value  to  PC  check  vector  value 

>  for  i  from  1  to  64  do  myvec[i]  ;=  f(a[i])  +  f (a[i] + [0, 0, 1 , 1 ,0, 0]  mod  2)  mod  2;  od 
Count  #  of  times  "1"  appears-->weight  of  resulting  vector 

>  numboccur (L, 1) ; 
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